Wireless Access

Reply
New Contributor

MAC authentication

I'm looking to block everyone connecting to a WiFi, unless they provide me with their MAC address before hand so I can add it to the allowed list and allow them to connect.

i don't want the wrong people accessing my network through overhearing the password.

Is this possible through an Aruba controller on the GUI where I can just add new MAC addresses when I need to.

Many thanks
Guru Elite

Re: MAC authentication

New Contributor

Re: MAC authentication

I have read up on this and tried following the guide. However, users with the password but having not handing over their Mac addresses are still able to connect, so I'm stumped.
Guru Elite

Re: MAC authentication

What role are they in after they connect?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: MAC authentication

So I've created a MAC address authentication profile.
Then went onto the internal DB and added the MACs I had.
Then is it just go to AAA profiles, and select your chosen under the network profile>MAC authentication?
Guru Elite

Re: MAC authentication

You need a mac authentication profile attached to the AAA profile that corresponds to your SSID.  You can find out what AAA profile to edit by typing "show user-table verbose" and seeing what is under the "profile" column.

You put mac addresses in the local user database.  The format of the macs you put in the local user database need to match the format in the mac authentication profile (lower, upper, delimeter, etc).  If users attach to the PSK SSID, they will get the default 802.1x role in the AAA profile.  If they also pass mac authentication, they will get the mac authentication default role (an elevated role). EDIT:  Not Correct If you instead want it so that they just simply cannot attach if they do not pass mac authentication, make sure in the AAA profile, l2 fail through is not enabled.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: MAC authentication

Update on this.

I have managed to set the Mac auth table. I'm using both the GUI and CLI, on the CLI when I type #show user-table verbose
It shows my iPhone connected with the MAC I entered and has me down as a guest role.
I also connected my laptop to the wifi-but never entered the MAC address into the table, and the laptop Is able to connect fine, this is without me entering the MAC address onto the allowed list.
Any ideas guys as to why it's not blocking those whose addresses I haven't entered?
New Contributor

Re: MAC authentication

The laptop was connected under role "login"
Guru Elite

Re: MAC authentication

Using PSK, you cannot completely block users from being on the network on mac authentication failure.  You CAN send them to a captive portal page, upon failure however:

 

In the AAA profile, make sure that the initial role is "logon".  This is the role a user gets if they have not passed mac authentication.  In the AAA profile, also configure the default mac authentication role, which is what a user gets if they pass authentication.

 

This is how it should work:

 

If a user associates and their mac address is not in the database, they should stay in the "logon" role, which typically produces a captive portal when they attempt to browse.  If the user associates and their mac address IS in the database, they will get the mac authentication default role in the AAA profile and they will be able to do whatever that allows.

 

Only 802.1x authentication allows you to completely block users if they do not successfully mac authenticate.  Using PSK, you can only force them to be in a role with less IP privileges.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: MAC authentication

Thank you for your response, it is much appreciated.

We are not using PSK, I think we are on 801.1x is this possible with these parameters then?
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: