Good point, I was not fully clear here. The logs suggest that the username is MAC/MAC, which is very unlikely. The password indeed is the same as the MAC address so it is sent twice, but in different fields. Only once in the username.
I don't know the FreeRADIUS logging, and have to do with what I see in the post.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Mar 05, 2021 07:42 AM
From: Bruce Osborne
Subject: MAC Auth to FreeRadius incorrect - Dynamic VLAN
The MAC address IS sent twice. That is the definition of RADIUS MAC Authentication.
The MAC address is both the username and the password so it MUST be sent twice.
------------------------------
Bruce Osborne
Original Message:
Sent: Mar 04, 2021 07:24 AM
From: Herman Robers
Subject: MAC Auth to FreeRadius incorrect - Dynamic VLAN
I'm pretty sure the AP does not send the MAC address twice as in MAC/MAC. This has to be the way it is displayed in FreeRADIUS. Check with debug/verbose logging or better with a Wireshark and see what is in the RADIUS packets.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Mar 03, 2021 05:50 PM
From: Hendri Marzuki
Subject: MAC Auth to FreeRadius incorrect - Dynamic VLAN
Hi, I meant still no luck after tried the changes.
The Login OK, is the format where FreeRADIUS accepted the authentication but Aruba sent in different format caused Login Incorrect.
I was hoping there could be a setting somewhere that I might missed in configuring Aruba to send only single MAC address.
Anyway, I really appreciate your effort try to help. I'll try your suggestion.
Thank you!
------------------------------
Hendri Marzuki
Original Message:
Sent: Mar 03, 2021 04:33 AM
From: Herman Robers
Subject: MAC Auth to FreeRadius incorrect - Dynamic VLAN
Not sure if it now works or not, as I see an Login OK.
If it doesn't work, I would start your FreeRADIUS in verbose/debugging mode to see what your AP is sending and compare that to what your RADIUS is configured to receive. A Wireshark could also help to understand the issue. I don't use FreeRADIUS, so can't help you with that, I don't remember a similar question.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Mar 02, 2021 05:02 PM
From: Hendri Marzuki
Subject: MAC Auth to FreeRadius incorrect - Dynamic VLAN
Thanks for your response, Herman.
You were right, I am using Aruba Instant.
I disabled the Service-Type Framed-User and the format from Aruba to RADIUS still the same. I tried the combination as well, none sending the right authentication format.
Here is my settings:
------------------------------
Hendri Marzuki
Original Message:
Sent: Mar 02, 2021 04:25 AM
From: Herman Robers
Subject: MAC Auth to FreeRadius incorrect - Dynamic VLAN
From reading your text again, you appear to be using Aruba Instant. Please note that the option Service-Type Framed-User does not enable MAC Authentication or format MAC address, it changes the type of the RADIUS request.
I think the default for these should be disabled. You can try again with these disabled and configure the MAC authentication and delimiters, on your SSID.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Mar 02, 2021 04:08 AM
From: Herman Robers
Subject: MAC Auth to FreeRadius incorrect - Dynamic VLAN
Are you using a controller deployment (ArubaOS) - or Aruba Instant?
On Aruba Instant, you configure the MAC format in the SSID configuration:
Controller (ArubaOS) you configure this on the RADIUS server:
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Feb 28, 2021 06:40 PM
From: Hendri Marzuki
Subject: MAC Auth to FreeRadius incorrect - Dynamic VLAN
Dear experts,
I have an Aruba VC with Auth Server setup to FreeRadius server (service type framed user 802.1X and MAX both ticked).
Then I create an SSID with security to authenticate to the Radius (MAC auth Enabled, use Delimiter, use Uppercase).
When the device connecting to the SSID, the Radius log shows:
Login incorrect: [99-88-77-AA-66-EE/99-88-77-AA-66-EE] (from client ZD port 0 cli 998877aa66ee)
I tested with Ruckus Zone Director, setup the Radius server and SSID. On SSID setting, it has option : send username and password in 802.1X format of 00-11-AA-BB-CC. By default 0011aabbcc. The test is successful.
Login OK: [00-11-BB-CC-DD-22] (from client ZD port 0 cli 00-11-BB-CC-DD-22)
I couldn't find the setting for Aruba VC to send the right format. Is it possible?
Thank you in advace!
------------------------------
Hendri Marzuki
------------------------------