Wireless Access

I try first to use this procedure to test only L2 MAC Address Authentication but is not working:

 

http://community.arubanetworks.com/t5/Community-Tribal-Knowledge-Base/For-the-Beginner-MAC-Authentication-using-the-Controller/ta-p/32188

 

I can notice that controller version shown in the link is different from mine:

mine: 6.4.2.4

 

my WLC is a 7030

Are you using PSK or 802.1X authentication? 


Thanks, 
Tim

Hi, I'm going to use PSK WAP2-AES.

Can you post a screenshot of your AAA profile? 


Thanks, 
Tim

I deleted all configuration of MAC but was the same as the Link I sent.

I created a MAC Auth profile in Security > Authentication > L2 Authentication with colon and lower, then the server group,... and so on just as the link said. Tried twice!

If the user fails MAC auth, they will be dumped into the initial role. Is that the role the device got? 


Thanks, 
Tim

user in bold letter is the only user added to the internal database:

 

local-userdb add username 84:3a:4b:29:19:52 password 84:3a:4b:29:19:52

 

WLC_WIFI) #show user-table

Users
-----
    IP              MAC            Name              Role           Age(d:h:m)  Auth  VPN link  AP name  Roaming   Essid/Bssid/Phy               Profile         Forward mode  Type   Host Name
----------     ------------       ------             ----           ----------  ----  --------  -------  -------   ---------------               -------         ------------  ----   ---------
192.168.1.105  84:3a:4b:29:19:52  84:3a:4b:29:19:52  guest          00:00:59    MAC             Stock-2  Wireless  TEMPO/94:b4:0f:91:7a:f3/a-HT  TEMPO-aaa_prof  tunnel        Win 7  
192.168.0.24   6c:88:14:45:fb:cc                     authenticated  00:00:59                    Stock-2  Wireless  TEMPO/94:b4:0f:91:7a:f3/a-HT  TEMPO-aaa_prof  tunnel        Win 7  

User Entries: 2/2
 Curr/**bleep** Alloc:8/937 Free:5/929 Dyn:13 AllocErr:0 FreeErr:0

 

 

What is your initial-role set to?

 

What is the role you assigned to that MAC in the internal database?

Hi, I think that your question was the key to solve the problem I had. I put the initial role in deny all. Then when I used any machine defined in Internal database, everything works fine. Can I define users by groups, to use some MACs for an SSID and the some other MACs for other different SSID. How can I do this?. Creating a new role?

No, you would need an external policy engine like ClearPass to get that
granular.

Thanks a lot for your help!!!

---

Can I define users by groups, to use some MACs for an SSID and the some other MACs for other different SSID. How can I do this?. Creating a new role?

---

Yeah you can do this but if you have a small number of users, and if you have a large number of users as Tim said, You have to go for CPPM.

 

For doing that first you have to create one user role  and then add the users MAC ids on that, after that in AAA profile just select the user derived role from the drop down list. So it will overwrite your default role and make them work.