I'm trying to create a configuration that will allow user to connect to the same SSID and then be dispatched into multiple VLAN based on MAC-Auth.
If MAC-Auth fails the idea is to place the user in a default VLAN. That will allow us to register only specific MAC to gain access to some VLAN.
802.1x is not possible as it will require change on remote endpoint
For the moment everything works well with the know MAC. Radius send a Accept with the valid return attribute. Unfortunately for unknwown MAC on the RADIUS we receive a rejet and User is deauthenticated...
is there a way to change this ?
You are probably looking to replace [MAC Auth] with [Allow All MAC Auth], which will allow authentication for unknown mac addresses as well.
Check this video on where to change it, and I think there is some explanation with it as well.
Thank you for your answer.
Sadly, I think something has been misunderstood we do not have a clearpass server in this topology.
Only a Mobility controller (7205) who is forwarding MAC auth requests to an NPS.
As it is not possible on the NPS side to have a "allow all mac auth" we would like to know if there is something like "MAC Default Role" at controller-side who could be used as user role even if we receive a mac auth fails from NPS.
We tried that already but without success.
That is what we did of course. But it does not work.
We have opened a TAC case.
For the information our version is :
Apparently we would be in precense of a bug. Waiting for confirmation.
AFAIK the initial role is before authentication. If the NPS send back a reject then you will not get the initial role anymore, right?
Unless you have L2 authentication fallback enabled, that is true. You could use that in this case.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.