Wireless Access

last person joined: 16 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Assign Role if Auth fails

  • 1.  Assign Role if Auth fails

    Posted Dec 05, 2018 05:56 AM

    Hi,

     

    I'm trying  to create a configuration that will allow user to connect to the same SSID and then be dispatched into multiple VLAN based on MAC-Auth.

     

    If MAC-Auth fails the idea is to place the user in a default VLAN. That will allow us to register only specific MAC to gain access to some VLAN.

     

    802.1x is not possible as it will require change on remote endpoint

     

    For the moment everything works well with the know MAC. Radius send a Accept with the valid return attribute. Unfortunately for unknwown MAC on the RADIUS we receive a rejet and User is deauthenticated...

     

    is there a way to change this ?

     

    Thank you

     

    Best regards

     

    Nicolas



  • 2.  RE: Assign Role if Auth fails

    Posted Dec 06, 2018 10:51 AM

    You are probably looking to replace [MAC Auth] with [Allow All MAC Auth], which will allow authentication for unknown mac addresses as well.

     

    Check this video on where to change it, and I think there is some explanation with it as well.

     



  • 3.  RE: Assign Role if Auth fails

    Posted Dec 06, 2018 11:18 AM

    Hello,

     

    Thank you for your answer.

    Sadly, I think something has been misunderstood we do not have a clearpass server in this topology.

     

    Only a Mobility controller (7205) who is forwarding MAC auth requests to an NPS.

    As it is not possible on the NPS side to have a "allow all mac auth" we would like to know if there is something like "MAC Default Role" at controller-side who could be used as user role even if we receive a mac auth fails from NPS.

     

    We tried that already but without success.

     

    Any ideas?

     

     



  • 4.  RE: Assign Role if Auth fails

    Posted Dec 06, 2018 11:28 AM
    Use the initial role.


  • 5.  RE: Assign Role if Auth fails

    Posted Dec 06, 2018 11:34 AM

    Hello,

     

    That is what we did of course. But it does not work.

    We have opened a TAC case.

     

    For the information our version is : 

    6.5.4.4

    Apparently we would be in precense of a bug. Waiting for confirmation.



  • 6.  RE: Assign Role if Auth fails

    Posted Dec 06, 2018 04:04 PM

    AFAIK the initial role is before authentication. If the NPS send back a reject then you will not get the initial role anymore, right?

     



  • 7.  RE: Assign Role if Auth fails

    Posted Dec 07, 2018 08:12 AM

    Unless you have L2 authentication fallback enabled, that is true. You could use that in this case.