Wireless Access

I have a couple of SSIDs that we want to authenticate devices with Dual Authenticaiton:

 

1.  Preshared key.

2.  MAC address list.

 

I have created and researched several cases for thsi topic and I have not been successfull so far.  I am now getting around to actually tryinig to get the MAC Address authenticaiton as a 2nd layer of authentication. 

 

Previous blogs taht I have created and researched include:

 

- https://community.arubanetworks.com/t5/Wireless-Access/Dual-Authentication/td-p/484637

 

- https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-MAC-based-authentication-on-Aruba/ta-p/182430

 

- https://community.arubanetworks.com/t5/Wireless-Access/How-to-authenticate-devices-to-use-a-WLAN-by-MAC-Address/td-p/480382

 

The problem that I have is that I have follwed the instructions and I have I can login to teh SSID: but, other devices that are not entered in the controllers local user database are still able to get connected.  I only want the MAC addresses in the list to be authenticated not anything else.  I must be missing something.

 

Can anyone help?

And what if I change my MAC address to match one in the list?

Can you share the AAA Profile configuration?

Sent from Mail for Windows 10

I will try my best here.  We are using verison 8.3.0.3.  Mr. Capalli, that is a separate question from this topic.  I am charged with the resposibility to get this done this way.  Alternative options for dual authentication can be addressed in a spearate question.  Right now I just need to get this to work this way and then address an alternative topic at another time.  Fyi, the only alternate idea I have heard was to use Actiuve Directory; butm that is a separate questions from here.

 

1.  I creted a L2 Authentication, specifically for MAC Authenticaiton , from teh Group Managed Node level (Mobility Master Web User Interface).

     a.  See MAC_Based_Dual.png  attached.

 

2.  In the WLAN Settings, I enabled the MAC Authenticaiton box from the Security tab in the WLAN configuration. 

     a.  See attached MAC_Based_Dual_II.png

     b.  1st dropdown option below the 'Retype' box.

 

3.  See the Access tab for WLAN has 'guest' for the MAC Authentication role.  MAC_Based_Access_option.png

      a.  The guerst role is associated in thispicure.

      b.  I wonder if that is the correct setting.

      c.  If I show the local-userdb internal database all of the MAC Addresses are listed in th e'Guest' role.

 

(XXXXXXXX) [MDC] #show local-userdb

User Summary
------------
Name Password Role E-Mail Enabled Expiry Status Sponsor-Name Remote-IP Grantor-Name
---- -------- ---- ------ ------- ------ ------ ------------ --------- ------------
test ******** guest Yes Active 0.0.0.0 seamless-logon-w
XX-XX-XX-XX-XX-XX ******** guest Yes Active 0.0.0.0 seamless-logon-w
XX-XX-XX-XX-XX-XX ******** guest Yes Active 0.0.0.0 seamless-logon-w
XX-XX-XX-XX-XX-XX ******** guest Yes Active 0.0.0.0 seamless-logon-w

 

 

4.  In the 'WLAN' profiles section. MAC Authentication Default Role is 'guest'.  The AAA Profile is named 'XYZ'.

    a.  See attached pic: AAA_web_profile.png.

 

 

5.  If I use the command line from the MM to the managed node. 

 

(XXXXXXXX) [XX:XX:XX:XX:XX:XX] (config) #aaa profile XYX
(XXXXXXXX) ^[XX:XX:XX:XX:XX:XX] (AAA Profile "XYZ") #authentication-mac XYZ_MAC_List
(XXXXXXXX) ^[XX:XX:XX:XX:XX:XX] (AAA Profile "XYZ") #write memory

 

Is there any other specific information that you need?  I really do nto knwo how to di this correctly so I am follwoing the instrucitons from bloggers thet best I can.

 

 

 From the cli of the managed device.

(XXXXXXXX) [MDC] #show aaa main-profile summary

AAA Profile summary
-------------------
Name      role          mac-auth

--------     -----------   --------------

XYZ         logon      XYZ_MAC_List

You need to assign a deny role as your initial role to make sure that if the user enters the PSK but is not listed in the mac db it will it not get access

Sent from Mail for Windows 10

Hello Victor,

 

 

Your advice was right on.  I called Aruba support and they walked me through the process.  It is involved and I created notes.  The process has several parts but from a high - level explanation:

 

1.  Create an L2 Authentication Profile for MAC Authentication.

2.  Obtain a list of mac addresses an add them to the controller's internal database.

      a.  One will need to add the mac address to each controller because the internal db is local.

      b.  Does anyone know of a way to replicate this and to be more efficient?

3.  Crete a new user role to deny all authentication services and to be associated with the  SSID's AAA Prifile's inital role.

      a.  Create a new ACL to actually deny all source, destiantion, and services.

      b.  Map the ACL to teh new user role (to be used for intial role on teh SSID).

4.  Enable the MAC Authentiction to the WLAN (SSID).

      a.  MAP the AMC Auth role to the AAA profile (I was shown in the CLI).

 

This can be very confusing if one has never done this before.  But the more you remview it teh more it makes sense.  One will need to enable the PEF license needed to be manually enabled for the controller as well.  THis feaure was not automatically enabled in version 8.0 as it was in earlier versions.