Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Dual Authentication

Jump to Best Answer
This thread has been viewed 1 times
  • 1.  Dual Authentication

    Posted Nov 09, 2018 05:04 PM
      |   view attached

    At my workplace, we are migrating from HP MSM760 controller and system to an Aruba MM and MD-7030 setup.

     

    My question today: How would Aruba suggest to authenticate hand-held device and printer automatically to a specific WLAN?  With the HP MSM760 system we used:

     

    - Pre-Shared Key along with

    - MAC Address list (to allow)

     

    See attached screen shot.  We were infirmed from a previous thread thta we should create a username on the controller's database instead. 

     

     https://community.arubanetworks.com/t5/Wireless-Access/How-to-authenticate-devices-to-use-a-WLAN-by-MAC-Address/td-p/480382

     

    But in our case we are trying to authenticate devices not people.  The printer or scanner is not going to enter a username on a web portal.  So my question is how can we use Aruba 8.3.0.3 to automatically authenticate a device to a specific SSID (WLAN) securely?


    #ALE
    #ArubaSensor
    #LocationServices
    #ArubaBeacons
    #Meridian


  • 2.  RE: Dual Authentication

    Posted Nov 09, 2018 05:14 PM

    Are we suppose to add specific user's manually to each device.  What if there is no automatically remember my password settings from a printer?

     

    What if the device is prompted ny the SSID to enter a password.  Is there another more automatic way?

     

    In the previous case it was recommended not to use MAC addresses.  May I ask what else we can use instead for this scenario?



  • 3.  RE: Dual Authentication
    Best Answer

    Posted Nov 09, 2018 05:26 PM

    The devices connect with a preshared key.  In addition, the controller will do mac authentication of those devices.  The format to enter into the internal database to allow a device to connect via mac authentication is 

    username: mac address

    password: mac address

     

    That is because the internal database was really for guests, so you must enter a username and password, but for mac authentication, the controller will obtain the mac address of the devices that tries to connect to the WPA2-PSK SSID and then compare it to the username/password in the internal database.

     

    The printers or devices do not see a password prompt.  Entering the mac addresses in the database is only so that mac authentication can succeed.

     

    I hope that helps.

     



  • 4.  RE: Dual Authentication

    Posted Nov 11, 2018 08:25 PM

    Ok,

     

    So if one creates:

     

    1.  A user accont in the Aruba Controller internal database

            a.  MAC address for the username and the password for that user account.

     

    2.  And a MAC Authenticatin profile to be used with that specific SSID.

     

    Refernce: https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-MAC-based-authentication-on-Aruba/ta-p/182430

     

    Then the SSID will automatically accept the MAC address of the printer device as if it was a "MAC Address List".  Is that correct? 

     

    If it is correct will we need to create a user account on each local controller (2 of them at each location)?  The majority of my confusion has to do with how the Aruba Wireless Network will recognize the user acocunts (MAC Addresses).  But it is starting to make more sense if we segment the process 1 stepa t a time.  Are the above 2 steps correct?

     



  • 5.  RE: Dual Authentication
    Best Answer

    Posted Nov 11, 2018 09:07 PM

    "Then the SSID will automatically accept the MAC address of the printer device as if it was a "MAC Address List".  Is that worrect? "  YES.

     

    If it is correct will we need to create a user account on each local controller (2 of them at each location) - NO. the database is synchronized to each controller.

     

     



  • 6.  RE: Dual Authentication

    Posted Nov 11, 2018 09:42 PM

    Ok, so.... I am starting to understand teh requirements better.  Please confirm the below steps.  In order to authenticate via MAC address.


    1.  Create a MAC Auth profile.
         a.  Step A. from:  https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-MAC-based-authentication-on-Aruba/ta-p/182430

     

    2.  Create the local username that will actually be used as a
        MAC address (not a username per say).  Step b.
        a.  * Using the CLI
        >local-userdb add username <macaddr> password <macaddr><enter>
        b.  Is it correct, if one adds a user account at 1 controller (internal database) then the same account will be replicated to the other local controller?
      
    3.  Then Map the MAC Authenticaiton profile (created in step 1) into the respective AAA profile (Step C).
        a.  Create a new aaa profile
        >aaa profile <profile name><enter>
        >authentication-mac <profile name from step1 above><Enter>
      
    Will the above plan provide the options to authe ticate from a passphrase & MAC Authentication?  Or just from the MAC Authentication?
     
    In our case we have 2 x Mobility Masters and then 4 different geographical sites (groups) where there are 2 local controllers at each site/group.