Wireless Access

Reply
Occasional Contributor I
Posts: 9
Registered: ‎04-18-2011

is mix authentication on the same ssid possible?

A customer want to use 1 ssid for his cooperative wlan.

But customer have lots of different wifi client. most of them are laptops and do support 802.1x.

But customer will use also device for ex. temp monitoring and they do not support 802.1x

 

No we are searching for the possibility to do authentication for the devices supporting 802.1x by username/password.

And for the devices not supporting 802.1x by mac authentication.

For both we will use the same radius server.

 

my problem is when using 1 ssid, we have configure at ssid profile type of encryption : ex WPA, WPA2, but then you will use already 802.1x;

So how I can associate devices that not supporting 802.1x on that ssid?

There is also somthing L2 authentication fail through at AAA profile.

 

so my question is

to do mac authentication for devices not supporting 802.1x and to username/password authentication for devices supporting 802.1x on the same SSID?

 

regards

Guru Elite
Posts: 20,789
Registered: ‎03-29-2007

Re: is mix authentication on the same ssid possible?

You need a different and separate SSID to WPA2-PSK encryption for those devices.  You can have WPA2-PSK and mac authentication on the same SSID.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎04-18-2011

Re: is mix authentication on the same ssid possible?

Hi,

 

could you tell me what the option "L2 authentication fail through" in aaa profile will do then?

 

regards

 

Aruba Employee
Posts: 27
Registered: ‎12-29-2010

Re: is mix authentication on the same ssid possible?

Refer to the ArubaOS User Guide, Chapter 10 802.1x Authentication

 

Use l2-auth-fail-through command to perform mixed authentication which includes both MAC and
802.1x authentication. When MAC authentication fails, enable the l2-auth-fail-through command to
perform 802.1x authentication.

 

If this parameter is set ENABLED, if MAC authentication fails, 802.1x authentication will be performed.

 

CLI configuration:

 

aaa profile test
l2-auth-fail-through

 

 

 

 

Shawn Adams
Aruba Networks Customer Advocacy
Occasional Contributor I
Posts: 9
Registered: ‎04-18-2011

Re: is mix authentication on the same ssid possible?

Hi,

is this not want I do need for my problem ?

Guru Elite
Posts: 20,789
Registered: ‎03-29-2007

Re: is mix authentication on the same ssid possible?

No. That option allows a device to still connect if it fails Mac authentication. The device still must support 802.1x, however.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 9
Registered: ‎04-18-2011

Re: is mix authentication on the same ssid possible?

Hi,

 

thanks for the feedback.

 

best regards

Occasional Contributor II
Posts: 26
Registered: ‎10-16-2008

Re: is mix authentication on the same ssid possible?

I have been able to configure this and it works as expected.  My questions is - the role being assigned is first from the MAC authentication and then overwritten from the 802.1x authentication AAA profile rules.   Is there a way to use the MAC address authentication.     I want to assign users with certain MAC addressed to a captive portal role and everyone else to the 802.1x role?

Guru Elite
Posts: 20,789
Registered: ‎03-29-2007

Re: is mix authentication on the same ssid possible?


hartcy wrote:

I have been able to configure this and it works as expected.  My questions is - the role being assigned is first from the MAC authentication and then overwritten from the 802.1x authentication AAA profile rules.   Is there a way to use the MAC address authentication.     I want to assign users with certain MAC addressed to a captive portal role and everyone else to the 802.1x role?


If you have "enable l2 passthrough" enabled, device that pass 802.1x and fail mac will get the 802.1x default role in the AAA profile.   Devices that pass both will get the MAC authentication default role in the AAA profile.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 26
Registered: ‎10-16-2008

Re: is mix authentication on the same ssid possible?

Thanks I do not see any option for "enable l2 passthrough"  in the AAA profile - where is the option applied- I searched the command reference guide and did not see any mention of this command.

Search Airheads
Showing results for 
Search instead for 
Did you mean: