Wireless Access

Reply
Occasional Contributor II

External MAC-Database

Hi,

 

at the moment I am using the internal database for the MAC-Authentication.

Now I want to use an external database - can you tell me what types of databases are supported? And how to configure them?

 

Thanks 

Guru Elite

Re: External MAC-Database

You could setup either a radius or ldap server with the username and password as the mac address.  

 

- Define that LDAP or Radius server in Aruba and add it to a server group.  

- Create a mac address authentication profile to match the format you have in your database and that is how Aruba will send it.

- Add the  server group you created in the first step to aaa profile

- Add the mac authentication profile to the same AAA profile

 

The Aruba controller will now send the mac address as a username and password to the Radius or LDAP server you defined, in the format you define.  If the LDAP or radius server returns with a positive, the device will get the mac authentication role in the AAA profile.  

 

If the mac address does NOT pass authentication, processing will stop and the device will not be able to connect. If you have layer 2 passthrough on, processing will continue.  The only exception is if you are using an open SSID, and mac auth fails, the device will remain in the Initial Role of the AAA profile.

 

I hope that makes sense.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: External MAC-Database

Hi,

 

thank you for your reply!

 


cjoseph wrote:

The Aruba controller will now send the mac address as a username and password to the Radius or LDAP server you defined, in the format you define.  If the LDAP or radius server returns with a positive, the device will get the mac authentication role in the AAA profile.  


Where should I define the username and password? As an Active Directory - Useraccount?

Is it possible to save the MAC-Address in an SQL-Database or something like this?

 


 

Guru Elite

Re: External MAC-Database


dmc90 wrote:

Hi,

 

thank you for your reply!

 


cjoseph wrote:

The Aruba controller will now send the mac address as a username and password to the Radius or LDAP server you defined, in the format you define.  If the LDAP or radius server returns with a positive, the device will get the mac authentication role in the AAA profile.  


Where should I define the username and password? As an Active Directory - Useraccount?

Is it possible to save the MAC-Address in an SQL-Database or something like this?

 


 


As an active directory user account, yes.

 

You can save the username and password in an SQL database if you have a radius server between the Aruba controller and SQL database providing the translation for you.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: External MAC-Database

Hi,

 

Is there a "how to" guide or blog. :) particularly when using internal or external databases for mac-authentication.

 

Thanks

 

 

Guru Elite

Re: External MAC-Database


Edy123 wrote:

Hi,

 

Is there a "how to" guide or blog. :) particularly when using internal or external databases for mac-authentication.

 

Thanks

 

 


No blog, but you would define your external Radius Server in the controller as the Mac Authentication Radius Server group in the AAA profile.  Also you would define the mac authentiction profile which would say the format that the mac addresses are stored in.

 

Last but not least, if your radius server is capable, you would point your radius server at some external database.  Finding out if your radius server is capable of external SQL queries and how to configure it to connect to SQL is outside the scope of this post.  You would have to contact your radius server manufacturer.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: External MAC-Database

Another solution I learned about recently is to use clearpass and it's internal database to store the mac addresses. You can have multiple clearpass servers for redundancy and performance if desired.  We have several thousand mac addreses stored in the internal db of the cotrollers - on three separate sets of controllers so we are looking at moving to an external database just like you.

 

New Contributor

Re: External MAC-Database

Morning guys,

 

I have followed the directions in this thread and a couple of others, but am still having problems getting mac authentication to work with my external radius server. I hope someone here can help me out with the directions or settings that I need to get this sytem up and running.

 

This is how my system is curently trying to connect:

 

Chromebook --> Aruba 105 --> Aruba Controller 3400 --> Server 2012 running NPS --> Active Directory with Chromebook MAC as name and password all in caps

 

I have chosen to no use certificate authentication on the RADIUS server like many of the walkthroughs on this site have shown. That being said after following the rest of the steps I have gotten the Aruba controller to authenticate a MAC user name and pass manually on the Diagnostics page. I also see on the RADUIS server that the controller is passing info from the chromebooks but they are still not able to connect. Does anybody have an idea of what I should do next?

 

Here is the link i followed (and many others just like it) to get my system setup to the point I am at now. Instead of issuing a certificate to the RADIUS server in step 2 I chose to use Microsoft: Secured password (EAP-MSCHAP v2). Besides that all other steps were followed to a "T".

 

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Radius-Server/td-p/34433

Guru Elite

Re: External MAC-Database


Michael.Hansen@wrightcity.k12.mo.us wrote:

Morning guys,

 

I have followed the directions in this thread and a couple of others, but am still having problems getting mac authentication to work with my external radius server. I hope someone here can help me out with the directions or settings that I need to get this sytem up and running.

 

This is how my system is curently trying to connect:

 

Chromebook --> Aruba 105 --> Aruba Controller 3400 --> Server 2012 running NPS --> Active Directory with Chromebook MAC as name and password all in caps

 

I have chosen to no use certificate authentication on the RADIUS server like many of the walkthroughs on this site have shown. That being said after following the rest of the steps I have gotten the Aruba controller to authenticate a MAC user name and pass manually on the Diagnostics page. I also see on the RADUIS server that the controller is passing info from the chromebooks but they are still not able to connect. Does anybody have an idea of what I should do next?

 

Here is the link i followed (and many others just like it) to get my system setup to the point I am at now. Instead of issuing a certificate to the RADIUS server in step 2 I chose to use Microsoft: Secured password (EAP-MSCHAP v2). Besides that all other steps were followed to a "T".

 

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Radius-Server/td-p/34433


There are quite a few reasons why this would not work.

 

Turn on debugging for your clients to find out why it is not working

 

config t

logging level debug user

show log user 50

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: External MAC-Database

Morning cjoseph,

 

I turned on user debugging as you said and am still having issues therefore seeing that this is a new setup I wiped everything and am starting from scratch. Would it be possible for you to give me a step by step walkthrough of setting up MAC authorization for chromebooks using either LDAP, RADIUS, or something else?

 

All I want my wireless network to do is check the mac address against a database to see if the MAC address is in the list, and if it is then allow the chromebook onto the wireless. Currently I have setup the internal database, and have it working just like this, but as of next year we will have over 4000 chromebooks in our district, so I would like to use the same method of just using MAC addresses only on a larger scale.

 

Thanks for your time

 

-Michael

 

P.S. I know that MAC addresses can be spoofed, but that is not a problem for us due to other methods in place. We just need a way to direct the chromebooks to join a certain network.

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: