Wireless Access

Reply
Contributor II
Posts: 56
Registered: ‎12-17-2011

How to do two step authentication, MAC-based & 802.1x?

[ Edited ]

Hi guys,

 

This is a great forum and I've benefited greatly from the knowledgeable posts here. I have a scenario where I need to authenticate devices based on MACs as well as their 802.1x credentials. How can I do that?

 

I know that in the AAA profile for a particular VAP, I can set the user roles for MAC-authentication, user-derivation rules and 802.1x but how can I tie two of them together so that the user is not authenticated until he meets both of the following conditions:

 

1) User's MAC address is in the user-derivation rules OR in the Internal DB (MAC Authentication)

2) 802.1x authentication

 

Any help is much appreciated!

 

Cheers

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: How to do two step authentication, MAC-based & 802.1x?

If you set both a 802.1x and MAC authentication profile, the client has to pass BOTH or the client will not be admitted to the network.  If you enable "L2 Authentication Fail Through" on the AAA profile, 802.1x authentication will continue if MAC auth is failed.  I hope this helps.


 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 56
Registered: ‎12-17-2011

Re: How to do two step authentication, MAC-based & 802.1x?

Thanks for the quick reply cjoseph. I've applied both profiles now but I can't find the "L2 Authentication Fail Through" option that you mentioned. In the AAA profile, all I see are 6 options:

 

Initial Role

802.1X Authentication Default Role

Wired to Wireless Roaming

MAC Authentication Default Role

User derivation rules

SIP authentication role

 

Where's this fail-through option?

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: How to do two step authentication, MAC-based & 802.1x?

Do you have ArubaOS 6.x?  I forgot to tell you it only exists there.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 56
Registered: ‎12-17-2011

Re: How to do two step authentication, MAC-based & 802.1x?

[ Edited ]

No I don't but I can get it though. Is 6.x stable though? Anything I should know about for the upgrade? It's a 4504 controller running 5.0.3.3 and a bunch of RAP-2WG APs.

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: How to do two step authentication, MAC-based & 802.1x?

You don't have to upgrade just for that.  On your current version, it just won't let devices on if they don't pass mac address authentication as well was 802.1x authentication.  



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 56
Registered: ‎12-17-2011

Re: How to do two step authentication, MAC-based & 802.1x?

Right, I understand. It would be nice to have that option as a check box though.

 

Greatly appreciate your help!

Search Airheads
Showing results for 
Search instead for 
Did you mean: