05-08-2015 05:05 AM
We have 2 virtual-ap's:
- One public SSID with captive portal and mac authentication. The mac addresses that have been added to the internal database bypass the captive portal and go straight to Internet. Unknown mac addresses get the captive portal and require a login.
- One corporate SSID with 802.1x client and machine authentication enforced where only valid domain computers and users are allowed.
We noticed that client mac addresses added in the internal database for the public SSID get full rights to the corporate SSID after authenticating with username and password.
I believe I found the explanation: Aruba will store mac adresses that have machine authenticated in the internal DB for 24 hours. The AAA profile will see a valid user authentication and a valid MAC address in the database, so it will give full rights to that device. However the machine authentication on these devices never took place...
How can we solve this ? You cannot create a second internal DB. Changing the "MAC Authentication Server Group" in the AAA profile does not work. Any ideas?
Solved! Go to Solution.
05-08-2015 05:10 AM
For your public captive portal, change the mac authentication format or delimeter so it does not match that of your enforce machine authentication format. You would change this in theac authentication profile. You will probably have to re-enter all of your mac addresses to match the new format, of course.
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide