Wireless Access

Reply
Occasional Contributor II
Posts: 11
Registered: ‎02-24-2016

Dual authentication - MAC and Active Directory

Currently we have five SSIDs:

Guest - captive portal authentication to a guest VLAN

Device - MAC authentication via the internal DB to the same guest VLAN (for Blu-Ray players and other devices that can't do the captive portal)

Kiosk - MAC authentication via RADIUS/Active Directory to the internal LAN

HC - 802.1x Active Directory authentication through RADIUS to the internal LAN

Rehab - MAC authentication to the internal LAN (same as Kiosk, SSID still exists for legacy reasons only)

 

I would like to consolidate to two SSIDs:

Public - authenticate via MAC->Internal DB or captive portal

Private - authenticate via MAC->RADIUS->AD, or via 802.1x->Radius>AD

The idea behind this Private authentication scheme is that we can either pre-configure tablets for wireless authentication before shipping them out to our various locations, or people can BYOD and get on the internal network with their normal AD credentials

 

I'm currently testing this in a lab environment. Public is working exactly the way I want it to, no issues. Public does not work. Depending on configuration, I either get the captive portal instead of 802.1x authentication, or I am completely unable to connect to the network at all.

 

I have a case open, and have not yet gotten a resolution.

 

 

 

Relevant config:

 

ap-group "DualSSIDTest"
virtual-ap "EmpResPublic"
virtual-ap "EmpResPrivate"
dot11a-traffic-mgmt-profile "TM-default"
dot11g-traffic-mgmt-profile "TM-default"

 

wlan virtual-ap "EmpResPrivate"
aaa-profile "EmpResPrivate"
ssid-profile "EmpResPrivate"
vlan 101
band-steering
dynamic-mcast-optimization
broadcast-filter all

wlan virtual-ap "EmpResPublic"
aaa-profile "EmpResPublic"
ssid-profile "EmpResPublic"
vlan 102
band-steering
dynamic-mcast-optimization
broadcast-filter all

 

aaa profile "EmpResPrivate"
authentication-mac "KioskDevice-macauth-profile"
mac-server-group "EmpResKiosk-group"
authentication-dot1x "EmpResHC-dot1x_prof"
dot1x-default-role "authenticated"
dot1x-server-group "EmpResHC"
l2-auth-fail-through

 

aaa server-group "EmpResKiosk-group"
allow-fail-through
auth-server Internal
auth-server Radius01-MacAuth
auth-server Radius02-MacAuth

 

aaa server-group "EmpResHC"
auth-server Radius01
auth-server Radius02


aaa profile "EmpResPublic"
initial-role "guest-logon"
authentication-mac "Device"
mac-server-group "Device"
l2-auth-fail-through

 

aaa server-group "Device"
auth-server internal

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: Dual authentication - MAC and Active Directory

You can use MAC as authorization source with 802.1X but you cannot use non-1X devices on a 1X SSID. 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: