I've set up MAC authentication on an SSID intended for user-owned devices. I have not configured any security since my intention is to allow only authorized MACs to connect and use the SSID in question.
My understanding is that one needs to enable MAC authentication, choose InternalServer, and then add MAC address as username and password in the internal server database for each device I wish to allow.
I'm finding that clients can connect even though I have not added their MAC addresses to the database.
This is IAP firmware 220.127.116.11-18.104.22.168_42384.
There are 4 access rules in this order:
Allow DNS to All
Allow http to All
Allow https to All
Deny Any to All
Did you put mac addresses with no delimeter in the internal database?
That is correct, no delimeter; uppercase support disabled; blacklisting disabled.
What is the initial role in the AAA profile? Configure a policy called "DENYALL-POL" (any any any drop) and create a role called "DENYALL-ROLE". Assign DENYALL-POL to DENYALL-ROLE. Set this role as the initial role.
Configure Default MAC Authentication role whatever role you like. A device should get the Default MAC auth role if everything else is configured right.
Below is the configuration which i have done
!! Create MAC Authentication Profile!! Create Server Group and add server in it!! Create AAA profile and add Server Group & MAC Authentication profile in it!! create ssid profile!! create vap and Assign AAA & ssid profile to VAP!! create AP group and add VAP into itaaa authentication mac "MAC-Athentication-Profile" delimiter colon max-authentication-failures 0aaa server-group "MAC-Authentication-ServerGroup" auth-server "Internal" position 1aaa profile "MAC-Authentication-AAA-Profile" mac-default-role authenticated initial-role logon mac-server-group "MAC-Authentication-ServerGroup" authentication-mac "MAC-Athentication-Profile" authentication-dot1x "default"wlan ssid-profile "MAC-Authentication-SSID-Profile" essid MAC-Authentication wpa-passphrase murad123 opmode wpa2-psk-aeswlan virtual-ap "MAC-Authentication-VAP-Profile" vlan 1 aaa-profile "MAC-Authentication-AAA-Profile" ssid-profile "MAC-Authentication-SSID-Profile"ap system-profile "MAC-Authentication-APSystemProfile"ap-group "AP-Group" virtual-ap "MAC-Authentication-VAP-Profile"
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.