Wireless Access

Reply
Occasional Contributor II
Posts: 12
Registered: ‎07-07-2011

Machine Authentication via MAC Address

Can I manually add mac addresses to the internal database on the controller to only allow certain machines access to our wireless network? I don't know enough about 802.1x or RADIUS nor have the time to set that up at this time. We are a Novell Edirectory environment and down the road I would like to setup some sort of LDAP referencing for user authentication as well.
Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Machine Authentication via MAC Address

Yes.

First you setup your WLAN how you want it, without mac authentication. Next, edit that AAA profile (configuration> Security> Authentication.. Find your AAA profile and edit it). Add a mac authentication profile that specifies the format and delimeter of mac addresses (space, no space, colons, etc). Also add a mac authentication server group of default to the same AAA profile. Next, make sure you add a user to the internal database which has a username and password of that mac address, in the same format that you specified in the profile above. Users who are successful will get the mac authentication default role. Users who are not, will get the initial role of the AAA profile.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎07-01-2009

Re: Machine Authentication via MAC Address

That's how we've been doing it. You have to be careful to put the MAC address in perfectly. It goes into the internal DB as both username and password. I would say that it works up to a limit - I don't know the number, but we now have 400+ devices and I feel like it's choking up a bit at this point.

I can remember exactly where, but somewhere is a setting which specifies the format of the MAC address in the internal DB. Mine is all caps with dashes between the pairs.
Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Machine Authentication via MAC Address


That's how we've been doing it. You have to be careful to put the MAC address in perfectly. It goes into the internal DB as both username and password. I would say that it works up to a limit - I don't know the number, but we now have 400+ devices and I feel like it's choking up a bit at this point.

I can remember exactly where, but somewhere is a setting which specifies the format of the MAC address in the internal DB. Mine is all caps with dashes between the pairs.




That is located in the mac authentication profile, attached to the AAA profile says whether:

- There is a delimiter or not
- What delimiter it is (colon or dash)
- Captival Letters or Small


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 42
Registered: ‎02-15-2011

Re: Machine Authentication via MAC Address

I can't get this to work.
I have created a test ssid "IO" opmode open.
I created a mac authen profile called Internet-Only:

AAA Profile "Internet-Only"
---------------------------
Parameter Value
--------- -----
Initial role logon
MAC Authentication Profile Internet-Only
MAC Authentication Default Role Internet-Only
MAC Authentication Server Group default
802.1X Authentication Profile N/A
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A
RADIUS Accounting Server Group N/A
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A

 

I have two test laptops.

I have entered one test laptop mac address as username and password in the internal database.

 

Both laptops are able to connect.

 

TIA

 

Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Machine Authentication via MAC Address

In the mac authentication profile, the format of the mac addresses must match the format that you put the macs in the internal database as username and password.  If a device does not pass mac authentication, it remains in the initial role of that AAA profile, which is "logon"



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 42
Registered: ‎02-15-2011

Re: Machine Authentication via MAC Address

You can see my AAA profile in the attachment.

Internet-Only is set with no delimiter, lower case, and max fail 5.

I have entered the mac, accordingly, as user name and password in the internal database.

 

How do you view the actual user entries that were configured in the internal database?

show user-table authentication-method mac or show  user-table internal does not have any entries.

 

TIA

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: Machine Authentication via MAC Address

show local-userdb will show you the entries.

Aruba Employee
Posts: 27
Registered: ‎04-02-2007

Re: Machine Authentication via MAC Address

Going to venture on a guess here.  When you say both machines can connect I bet they connect using the logon role as it is your default initial role.  You may consider changing that to a deny role unless it is a known MAC.  Use 'show user-table' to determine what role the device is being placed into.

 

Contributor II
Posts: 42
Registered: ‎02-15-2011

Re: Machine Authentication via MAC Address

show local-userdb

 

All it is showing me is the admin username I entered, no mac address.

Search Airheads
Showing results for 
Search instead for 
Did you mean: