Wireless Access

Reply
Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Configuration question Aruba IOS 6.1.3.1

Hi all -

 

I'm trying to fix an issue with my essid configurations - I currently have 2 essids:

 

1 - corp - all pcs connect to this network, it's using mac and user authentication thru active directory

2 - mac - all pcs/linux systems connect to this network - it uses the internal database and user auth thru AD

 

So my problem is I need to get everybody using corp and drop the mac essid because of issues with split tunneling on remote aps due only having 1 profile on the the remote ap config (I think that is the only way they can be done - but if I'm wrong - please let me know)

 

So here's the question - in the AAA profiles, I see that there is an L2 Authentication fail thru - if I check that, add the mac authentication profile (for the mac) and the mac authentication server group being local db (just like the mac essid profile is configured) will:

1. All systems work on corp now

2. What kind of access delays can I except when people are connecting to wireless?

 

Lirria

MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: Configuration question Aruba IOS 6.1.3.1

Why you just dont use 802.1x with EAP PEAP?

 

Depending on the user you can give it a role, or differnet access to the internal network..


You should be able to put everyone on the CORP SSIDs...

 

You should not use mac authentication... as aruba recommends agains the use of it... just use 802.1x and you should be all good...

If you want really high security use 802.1x TLS.  EAP PEAP would be like a HIGH security....

 

Mac authentication is really easy to crack...

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Re: Configuration question Aruba IOS 6.1.3.1

I realize that mac authentication can be forged - so we also require AD user name/password for the Mac/Linux clients because they are not part of the domain.

 

For the PC's we use machine auth and AD user name/password for a double check.

 

Both are using  EAP-PEAP

 

User roles are based on passing both authentication checks for the systems (and yes we do monitor for mac spoofing).

 

I unfortunately need to have 2 checks on each type of system to be allowed on the network and that is where my problem is coming from. If you can provide another method of ensuring 2 checks I would appreciate it.

 

Do you happen to know the repercussions of checking the L2 authentication fail through in this situation?

 

Lirria

MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: Configuration question Aruba IOS 6.1.3.1

Yes there is other methods but your issue are linux clients...

 

IF you had all windows, you could do computer authentication... which will check if the Computer is on the Active directory group you select on the NPS...

 

Another method of validating(not really but still tell you)

You can tell the aruba controller that if the user is not using DHCP he wont let the user to connect... with the DHCP Enforment...

 

We were also asked for 2 methods of authentication in a bank, but they are all windows... so i was able to do with the computer enforment... but in your case you got linux clients right?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Re: Configuration question Aruba IOS 6.1.3.1

Yes unfortunately I have Linux and Macintosh clients that I have to allow full access to the network - the windows systems work wonderfully.

 

Lirria

MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: Configuration question Aruba IOS 6.1.3.1

its looks like you have no other option than using also mac authentication....

But you will just be able just to add 4000 entries on it.

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Re: Configuration question Aruba IOS 6.1.3.1

[ Edited ]

That's fine - right now I have less than 100 systems to manage that way so it's been pretty easy. Any thoughts on how to configure the profile so that both mac authentication and machine authentication can work using the same ssid? I've only been able to get it to work on 2 different ssids.

 

Lirria

MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: Configuration question Aruba IOS 6.1.3.1

When you mean machine authentication you mean 802.1x EAP PEAP ? becasue there you are not authenticating the machine, you athenticating the user.

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Frequent Contributor II
Posts: 169
Registered: ‎11-18-2011

Re: Configuration question Aruba IOS 6.1.3.1

I use both machine auth and eap/peap to authenticate both the machine and the user.

 

Lirria

MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: Configuration question Aruba IOS 6.1.3.1

Really?

i didn tknow you could do that

I mean you can authenticate Machines but with the enforce mahcine, and it works with the AD and NPS,

How do you authenticate machines without the enforce machine? i mean with linux computers?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: