Wireless Access

Reply
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

mixed authentication modes on a 802.1x authenticated SSID

Running 6.1.3.6-airgroup.

 

Hello,

 

Anybody in the community running mixed authentication modes?

 

I am trying to configure mixed authentication modes on a SSID which is currently 802.1x authenticated.  If I am reading the user guide correctly, I should be able to edit the aaa-profile to include a MAC authentication Profile and a MAC authentication Server Group and then enable the l2-auth-fail-through feature.  This should allow for MAC authentication on the otherwise 802.1x authenticated SSID.

 

For the purposes of testing, I am using the internal database on the controller as the mac authe server.

 

When I enable the MAC auth features I have mentioned above no stations can authenticate.  MAC auth does not work and the previously working 802.1x auth stops working.  I am obviously missing something. Anyone have any thoughts?

 

Thanks in advance

 

 

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: mixed authentication modes on a 802.1x authenticated SSID

For the client that is failing, type "show auth-tracebuf" to see why.

 

When you say "mixed", you mean 802.1x with mac authentication, right?  L2 failthrough only allows clients that fail mac authentication to continue on to 802.1x authentication.  If a client fails 802.1x the client does not get on period...

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: mixed authentication modes on a 802.1x authenticated SSID

In the MAC auth profile, what delimiter and case did you use? Typically, you would use "none" and "lower" and put the mac address in the DB like "00112233aabbcc".
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

Re: mixed authentication modes on a 802.1x authenticated SSID

Hi cjoseph,

 

I do mean 802.1x with mac auth.  I am trying to configure the SSID so that stations will first attempt mac auth.

If the mac auth succeeds assign role and allow station to connect.

if mac auth fails, try 802.1x auth

if both mac and 802.1x auth pass assign role based on 802.1x.

 

I have configured my aaa profile like this.

 

aaa profile "OCDSB-TEST-aaa-Profile"
mac-server-group "internal_db"
authentication-mac "OCDSB-TEST-MAC-Profile"
authentication-dot1x "OCDSB-TEST-dot1x-profile"
dot1x-default-role "authenticated"
dot1x-server-group "OCDSB-CPPM-server-group"
no wired-to-wireless-roam
enforce-dhcp
l2-auth-fail-through

 

I think what I may be missing is in the SSID configuration which is as follows.

 

wlan ssid-profile "OCDSB-TEST-ssid-prof"
essid "OCDSBTEST"
opmode wpa2-aes


so this leaves me with a vap-profile like...

 

wlan virtual-ap "OCDSB_TEST-vap-profile"
aaa-profile "OCDSB-TEST-aaa-profile"
ssid-profile "OCDSB-TEST-ssid-prof"
vlan 100
blacklist-time 1800
auth-failure-blacklist-time 600
band-steering

Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

Re: mixed authentication modes on a 802.1x authenticated SSID

thanks olino,

 

my mac auth profile is configured exactly as youshow it.

 

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: mixed authentication modes on a 802.1x authenticated SSID


tpelley wrote:

 

If the mac auth succeeds assign role and allow station to connect.


The above statement is not possible.   If it is a wpa2 network, 802.1X has to pass; you cannot bypass 802.1X on a wireless network using WPA2 Enterprise.

 

Also, in your code snippet, I don't see any mac-default-role defined, are you just using the default guest?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

Re: mixed authentication modes on a 802.1x authenticated SSID

clembo,

 

Thanks for your input.

yes my mac authentication default mode is guest.

 

your statement seems to confirm my suspicion that i have misconfigured the ssid profile. 

I want to enable both mac auth and 802.1x on the same ssid.  the implication in the 6.1 userguide is that this is possible.

I am referring to table 58 on page 323 of the guide.  I attached a copy of that specific page.

 

I am thinking I need to enable mixed mode on the ssid.

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: mixed authentication modes on a 802.1x authenticated SSID

tpelley did you get this to work?

 

so only mac auth on a wpa2 enterprise SSID? dot1x not even requested.

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: mixed authentication modes on a 802.1x authenticated SSID


tpelley wrote:

I am thinking I need to enable mixed mode on the ssid.


I believe you are confusing things there, the document talks about mixed authentication modes. the mixed mode on ssid profile is about mixing different types of wireless security.

 

i found another thread where cjoseph says that the combination of mac or dot1x cant be used with only mac on wpa2:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/MAC-Authentication-on-WPA2-secured-SSID/td-p/25570

 

that table confused people before:

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Security-in-mixed-authentication-modes-environment/td-p/33562

 

would be nice if aruba could clear it up and explain the use of it.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: