last person joined: 21 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

WPA2 PSK + MAC Authentication

  • 1.  WPA2 PSK + MAC Authentication

    Posted Sep 17, 2018 11:05 AM



    I want to configure a ssid with wpa2 psk and mac authentication.

    But I have the problem that every client gets authenticated.

    I have attached some pictures, where you can see my configuration.

    I have version installed on the controller





  • 2.  RE: WPA2 PSK + MAC Authentication

    Posted Sep 17, 2018 11:15 AM
    You need to configure a denyall role and assign it as the initial role

    Thank you

    Victor Fabian

    Pardon typos sent from Mobile

  • 3.  RE: WPA2 PSK + MAC Authentication

    Posted Sep 17, 2018 12:06 PM

    Hi Victor,


    I have created a denyall role and configured this as initial role.

    The clients still get authenticated and get ip addresses.

    I have attached some pictures again.

  • 4.  RE: WPA2 PSK + MAC Authentication

    Posted Oct 04, 2019 09:04 AM

    Christopher - I seem to be having this same issue, did you ever figure out the solution?


    I’m running 8.3 or greater.  Want both MAC and PSK authentication.  After PSK entry, client connects whether there is a User in the local database or not.


    This article isn’t helping me:

  • 5.  RE: WPA2 PSK + MAC Authentication

    Posted Oct 04, 2019 11:05 AM
      |   view attached

    Here is the configuration for a MAC + PSK SSID. I have attached the configuration as well.


    // Create an SSID Profile


    (A_RAK_Master) ^[mynode] (config) #wlan ssid-profile MAC-PSK-SSID
    (A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #essid A-RAK_MAC-PSK
    (A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #wpa-passphrase Savetheturtles
    (A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #opmode wpa2-psk-aes
    (A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #exit


    // Create a mac authentication profile. In my case i enter the mac as aa:bb:cc:dd:ee:ff


    (A_RAK_Master) ^[mynode] (config) #aaa authentication mac MAC-PSK-AUTH
    (A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #delimiter colon
    (A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #case lower
    (A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #exit


    // Create the ACL for Initial Role


    (A_RAK_Master) ^[mynode] (config) #ip access-list session MAC-PSK-INITIAL_ACL
    (A_RAK_Master) ^[mynode] (config-submode)#any any any deny
    (A_RAK_Master) ^[mynode] (config-submode)#exit


    // Map the ACL to the Initial Role


    (A_RAK_Master) ^[mynode] (config) #user-role MAC-PSK-INITIAL
    (A_RAK_Master) ^[mynode] (config-submode)# access-list session MAC-PSK-INITIAL_ACL
    (A_RAK_Master) ^[mynode] (config-submode)#exit


    // Create the ACL for Default Role


    (A_RAK_Master) ^[mynode] (config) #ip access-list session MAC-PSK-DEFAULT_ACL
    (A_RAK_Master) ^[mynode] (config-submode)#any any any permit
    (A_RAK_Master) ^[mynode] (config-submode)#exit


    // Map the ACL to the Default Role


    (A_RAK_Master) ^[mynode] (config) #user-role MAC-PSK-DEFAULT
    (A_RAK_Master) ^[mynode] (config-submode)#access-list session MAC-PSK-DEFAULT_ACL
    (A_RAK_Master) ^[mynode] (config-submode)#exit


    // If using internal database on the controller to authenticate the devices

    // Create AAA the Server Group to point to the internal database

    (A_RAK_Master) ^[mynode] (config) #aaa server-group MAC-PSK-SERVER-GROUP
    (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-SERVER-GROUP") #auth-server internal
    (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-SERVER-GROUP") #exit


    // If using clearpass/any external server capable of mac authentication

                  // Create the aAA Authentication server for clearpass


    (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #aaa authentication-server radius CLEARPASS
    (A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #host
    (A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #key savetheturtles
    (A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #exit


    // Create the Server Group to point to CLEARPASS

    (A_RAK_Master) ^[mynode] (config) #aaa server-group MAC-PSK-CLEARPASS
    (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #auth-server CLEARPASS
    (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #exit


    // Create the AAA Profile and map neccessary profiles


    (A_RAK_Master) ^[mynode] (config) #aaa profile MAC-PSK-AAA
    (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #initial-role MAC-PSK-INITIAL
    (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #mac-default-role MAC-PSK-DEFAULT
    (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #mac-server-group MAC-PSK-SERVER-GROUP
    (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #authentication-mac MAC-PSK-AUTH
    (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #authentication-dot1x default
    (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #exit


    // Create the Virtual AP Profile and map the AAA ,SSID profiles and assign a VLAN


    (A_RAK_Master) ^[mynode] (config) #wlan virtual-ap MAC-PSK
    (A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #aaa-profile MAC-PSK-AAA
    (A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #ssid-profile MAC-PSK-SSID
    (A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #vlan 5,1,8 // to map multiple vlans use the comma
    (A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #exit


    // Create an AP Group and map the Virtual AP Profile


    (A_RAK_Master) ^[mynode] (config) #ap-group MAC-PSK
    (A_RAK_Master) ^[mynode] (AP group "MAC-PSK") #virtual-ap MAC-PSK


    // Save the Configuration


    (A_RAK_Master) ^[mynode] (AP group "MAC-PSK") #write mem



    --Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
    --Problem Solved? Click "Accepted Solution" in a post.



    mac+psk.txt   4 KB 1 version

  • 6.  RE: WPA2 PSK + MAC Authentication

    Posted Sep 18, 2018 02:39 AM



    do you have a configuration example for WPA2 PSK + MAC authentication (Internal on the controller)?




  • 7.  RE: WPA2 PSK + MAC Authentication

    Posted Sep 18, 2018 03:20 AM

  • 8.  RE: WPA2 PSK + MAC Authentication

    Posted Sep 18, 2018 05:33 AM

    Yes I have configured it as in this forum topic and I have add one mac as a user

    But still every client can connect with the wpa 2 psk and mac authentication is still not working.



  • 9.  RE: WPA2 PSK + MAC Authentication

    Posted Mar 13, 2019 02:50 PM

    I just noticed that I have a PSK-MAC-auth SSID with way too many connected users and stumbled onto this thread looking for help.


    I'm running 6.4 and 6.5 on my controllers and found Victor Fabian's tip to work for me - I changed the initial role from "logon" to "denyall" (default role) - rather than bounce the users off the wireless, I'm just waiting for them to re-auth and I watching them drop off one-by-one.


    A difference in my situation is that I'm using ClearPass for the MAC auth - otherwise my configuration looks pretty much like OP.