Hey all, I have a MAC authentication question.I have set up a SSID and created the appropriate firewall policies (Which work) however I also want to add a layer of security with Mac Authentication.I have MAC Auth enforced and the initial Role set to "Denyall". Basically if the MAC addy is not in the Internal DB then they should have the inital role set to them and they cannot do anything. Problem is, im testing on a computer first that is not in the Database and it is still allowing me to access whatever I would usually access (If i was authenticated)Any help would be greatly appreciated!
Can you please shared your config ?
show rights <intial role>
show aaa profile <mac auth profile>
Do you have a MAC Auth Profile and MAC Auth Server group set in your AAA profile that is configured for the virtual ap?
Yes, both Mac Authentication Profile and MAC Authentication Server Group are configured.AAA Profile Config
Initial Role: denyall
MAC Authentication Default Role: Development-Access
Enforce Machine Authentication: Yes
I have ran into situations where a device had a previous successful authentication and the controller "remembered" the device. I had to manually kick the client for the network. After that it worked normally.
Like Cappalli mentioned you will need to configure these parameters so the controller will know how to process the request and where to look for the entry.
The Server group configuration:
The MAC profile configuration:
After creating these you can apply them to your AAA profile:
You should turn off enforce machine authentication. This is only used for 802.1x with AD-joined machines.
Jamie, You were right, had to kick off the client and then it worked.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.