Cloud Managed Networks

Hello,   I have a new customer site and it will be a week or two before the radius server is available.  Guest WiFi is working fine.  Corp-WiFi I would like to secure as much as possible by using mac addresses  of known devices otherwise I will disable it completely which is not ideal.
My logic (correct me if wrong) was to create a default role with Deny any to all.  I would then create another Role Permit-WiFi-Mac.
The role assignment for Permit-WiFi-Mac would be 'If mac-address equals xx:xx:xx:xx:xx:xx assign role: Permit-WiFi-Mac".   I would create a rule like this for each known device.

As yet I have not got it to work so a few questions:

1. Is this possible or is there another method to complete the same ?
2. Is the MAC in the correct format for the 'string' ?
3. If the MAC is in the correct format and matches the rule is it like most rule sets where a match is made from top to  bottom and stops at the match or does it fall through and hit the default deny all ?

This is temporary and would really appreciate any advice.

Many thanks

------------------------------
Andrew Brown
------------------------------

What security are you adding? With a RADIUS server, you typically will do WPA-Enterprise, which is something different than open/PSK with MAC Authentication.

If this is temporary and you will change the security type later on, it may be good to put for the time-being a PSK SSID in with a long and strong password and a separate name from what you will deploy later to avoid clients being configured with an old configuration.

For the role assignment, you put in the MAC address of the client without delimiters and lower case:


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Mar 23, 2021 02:42 PM
From: Andrew Brown
Subject: Aruba Central - WLAN Access Role Assignment advice

Hello,   I have a new customer site and it will be a week or two before the radius server is available.  Guest WiFi is working fine.  Corp-WiFi I would like to secure as much as possible by using mac addresses  of known devices otherwise I will disable it completely which is not ideal.
My logic (correct me if wrong) was to create a default role with Deny any to all.  I would then create another Role Permit-WiFi-Mac.
The role assignment for Permit-WiFi-Mac would be 'If mac-address equals xx:xx:xx:xx:xx:xx assign role: Permit-WiFi-Mac".   I would create a rule like this for each known device.

As yet I have not got it to work so a few questions:

1. Is this possible or is there another method to complete the same ?
2. Is the MAC in the correct format for the 'string' ?
3. If the MAC is in the correct format and matches the rule is it like most rule sets where a match is made from top to  bottom and stops at the match or does it fall through and hit the default deny all ?

This is temporary and would really appreciate any advice.

Many thanks

------------------------------
Andrew Brown
------------------------------

Many thanks for your reply.   I will set a new SSID for Radius Ent as suggested.  I also removed the delimeters for the MAC addresses and all is working as planned.  Devices are now getting the correct role and access policy.

Regards


------------------------------
Andrew Brown
------------------------------

Original Message:
Sent: Mar 24, 2021 06:57 AM
From: Herman Robers
Subject: Aruba Central - WLAN Access Role Assignment advice

What security are you adding? With a RADIUS server, you typically will do WPA-Enterprise, which is something different than open/PSK with MAC Authentication.

If this is temporary and you will change the security type later on, it may be good to put for the time-being a PSK SSID in with a long and strong password and a separate name from what you will deploy later to avoid clients being configured with an old configuration.

For the role assignment, you put in the MAC address of the client without delimiters and lower case:


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Mar 23, 2021 02:42 PM
From: Andrew Brown
Subject: Aruba Central - WLAN Access Role Assignment advice

Hello,   I have a new customer site and it will be a week or two before the radius server is available.  Guest WiFi is working fine.  Corp-WiFi I would like to secure as much as possible by using mac addresses  of known devices otherwise I will disable it completely which is not ideal.
My logic (correct me if wrong) was to create a default role with Deny any to all.  I would then create another Role Permit-WiFi-Mac.
The role assignment for Permit-WiFi-Mac would be 'If mac-address equals xx:xx:xx:xx:xx:xx assign role: Permit-WiFi-Mac".   I would create a rule like this for each known device.

As yet I have not got it to work so a few questions:

1. Is this possible or is there another method to complete the same ?
2. Is the MAC in the correct format for the 'string' ?
3. If the MAC is in the correct format and matches the rule is it like most rule sets where a match is made from top to  bottom and stops at the match or does it fall through and hit the default deny all ?

This is temporary and would really appreciate any advice.

Many thanks

------------------------------
Andrew Brown
------------------------------