Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

MAC Auth to FreeRadius incorrect - Dynamic VLAN

This thread has been viewed 32 times

  • 1.  MAC Auth to FreeRadius incorrect - Dynamic VLAN

    Posted Mar 01, 2021 12:05 PM
    Dear experts,

    I have an Aruba VC with Auth Server setup to FreeRadius server (service type framed user 802.1X and MAX both ticked). 
    Then I create an SSID with security to authenticate to the Radius (MAC auth Enabled, use Delimiter, use Uppercase).

    When the device connecting to the SSID, the Radius log shows:
    Login incorrect: [99-88-77-AA-66-EE/99-88-77-AA-66-EE] (from client ZD port 0 cli 998877aa66ee)

    I tested with Ruckus Zone Director, setup the Radius server and SSID. On SSID setting, it has option : send username and password in 802.1X format of 00-11-AA-BB-CC. By default 0011aabbcc. The test is successful.
    Login OK: [00-11-BB-CC-DD-22] (from client ZD port 0 cli 00-11-BB-CC-DD-22)

    I couldn't find the setting for Aruba VC to send the right format. Is it possible? 

    Thank you in advace!

    ------------------------------
    Hendri Marzuki
    ------------------------------


  • 2.  RE: MAC Auth to FreeRadius incorrect - Dynamic VLAN

    EMPLOYEE
    Posted Mar 02, 2021 04:08 AM
    Are you using a controller deployment (ArubaOS) - or Aruba Instant?

    On Aruba Instant, you configure the MAC format in the SSID configuration:


    Controller (ArubaOS) you configure this on the RADIUS server:


    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 3.  RE: MAC Auth to FreeRadius incorrect - Dynamic VLAN

    EMPLOYEE
    Posted Mar 02, 2021 04:25 AM
    From reading your text again, you appear to be using Aruba Instant. Please note that the option Service-Type Framed-User does not enable MAC Authentication or format MAC address, it changes the type of the RADIUS request.

    I think the default for these should be disabled. You can try again with these disabled and configure the MAC authentication and delimiters, on your SSID.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 4.  RE: MAC Auth to FreeRadius incorrect - Dynamic VLAN

    Posted Mar 02, 2021 05:03 PM
    Thanks for your response, Herman. 

    You were right, I am using Aruba Instant. 
    I disabled the Service-Type Framed-User and the format from Aruba to RADIUS still the same. I tried the combination as well, none sending the right authentication format.

    Here is my settings:


    I think the RADIUS expect the login in single MAC [MAC] not in [MAC/MAC], which from Aruba sent to RADIUS.
    Login OK: [00-11-BB-CC-DD-22] (from client ZD port 0 cli 00-11-BB-CC-DD-22)

    Thanks.


    ------------------------------
    Hendri Marzuki
    ------------------------------

    Original Message


  • 5.  RE: MAC Auth to FreeRadius incorrect - Dynamic VLAN

    EMPLOYEE
    Posted Mar 03, 2021 04:34 AM
    Not sure if it now works or not, as I see an Login OK.

    If it doesn't work, I would start your FreeRADIUS in verbose/debugging mode to see what your AP is sending and compare that to what your RADIUS is configured to receive. A Wireshark could also help to understand the issue. I don't use FreeRADIUS, so can't help you with that, I don't remember a similar question.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 6.  RE: MAC Auth to FreeRadius incorrect - Dynamic VLAN

    Posted Mar 03, 2021 05:51 PM

    Hi, I meant still no luck after tried the changes.

    The Login OK, is the format where FreeRADIUS accepted the authentication but Aruba sent in different format caused Login Incorrect.


    I was hoping there could be a setting somewhere that I might missed in configuring Aruba to send only single MAC address. 

    Anyway, I really appreciate your effort try to help. I'll try your suggestion. 

    Thank you!



    ------------------------------
    Hendri Marzuki
    ------------------------------

    Original Message


  • 7.  RE: MAC Auth to FreeRadius incorrect - Dynamic VLAN

    EMPLOYEE
    Posted Mar 04, 2021 07:25 AM
    I'm pretty sure the AP does not send the MAC address twice as in MAC/MAC for the username. This has to be the way it is displayed in FreeRADIUS. Check with debug/verbose logging or better with a Wireshark and see what is in the RADIUS packets.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message


  • 8.  RE: MAC Auth to FreeRadius incorrect - Dynamic VLAN

    MVP
    Posted Mar 05, 2021 07:43 AM
    The MAC address IS sent twice. That is the definition of RADIUS MAC Authentication.

    The MAC address is both the username and the password so it MUST be sent twice.

    ------------------------------
    Bruce Osborne
    ------------------------------

    Original Message


  • 9.  RE: MAC Auth to FreeRadius incorrect - Dynamic VLAN

    EMPLOYEE
    Posted Mar 05, 2021 08:37 AM
    Good point, I was not fully clear here. The logs suggest that the username is MAC/MAC, which is very unlikely. The password indeed is the same as the MAC address so it is sent twice, but in different fields. Only once in the username.

    I don't know the FreeRADIUS logging, and have to do with what I see in the post.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message