Security

last person joined: 17 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Compound Authentication with WLC && FreeRADIUS

Jump to Best Answer
  • 1.  Compound Authentication with WLC && FreeRADIUS

    Posted Feb 06, 2019 10:34 AM

    I've searched in here, as well as some Googling, and have not come up with a solution, so I'm asking.

     

    I'm using FreeRADIUS 3.0.13-9, on CentOS 7.6 as an authentication server for Airwave, WLC administrative access, and 802.1X.

     

    Within FR, I am using peap/mschapv2 using ntlm_auth as the back-end. I also have some post-auth going on, using ldap to poll AD for group memberships (only for NAS-IP belonging to the WLC management IPs and airwave IP).

     

    I have been tasked with creating a BSSID that requires two methods of authentication: MAC and username/password. Any FreeRADIUS gurus, or Airheads that have any suggestions?

     

    Thanks



  • 2.  RE: Compound Authentication with WLC && FreeRADIUS

    Posted Feb 06, 2019 10:53 AM

    You can use mac authentication using the controller's local database to store the mac addresses.  :   https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-MAC-based-authentication-on-Aruba/ta-p/182430



  • 3.  RE: Compound Authentication with WLC && FreeRADIUS

    Posted Feb 06, 2019 11:05 AM

    I get that. I understand how to do one at a time: MAC or User auth. The question is about how to do both for the same BSSID.



  • 4.  RE: Compound Authentication with WLC && FreeRADIUS
    Best Answer

    Posted Feb 06, 2019 11:14 AM

    When you add a mac authentication profile to the AAA profile, BOTH are done to the same SSID.  The device must pass mac authentication before user authentication.



  • 5.  RE: Compound Authentication with WLC && FreeRADIUS

    Posted Feb 06, 2019 11:15 AM
    A MAC address simply a piece of authorization data.