Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

MAC Authentication on WPA2 secured SSID

Jump to Best Answer
This thread has been viewed 3 times
  • 1.  MAC Authentication on WPA2 secured SSID

    Posted Feb 06, 2012 10:08 AM

    Hi all, 

     

    Has anyone had any success getting devices to authenticate via MAC, on a WLAN which uses 802.1x? (on Aruba OS version 6.1.2.3)

     

    Other forum posts seem to suggest that if you have MAC auth and 8021.x enabled, and the fall-through tick box enable, devices should attempt MAC authentication first, and follow up with 802.1x If this fails. (Unless I have mis-understood...)

    However, so far devices which i attempt to do this with refuse to connect, instead, insisting I enter username credentials. the process logs are not actually showing anything up. The same profiles connecting to Layer3 authenticated SSID works OK.

     

    Also, does each controller keep a speretate list of MAC addresses, or does the Master push out lists to the Locals? (Adding the same user to up to 6 seperate controllers might get a bit tiresome!)

     

    Any help would be very much appreciated.

     

     



  • 2.  RE: MAC Authentication on WPA2 secured SSID

    Posted Feb 06, 2012 10:12 AM

    Yes, it does work.  If Layer2 Fail through is unchecked, if a device fails mac authentication, it does not proceed with 802.1x authentication.  With it checked, it will just proceed to 802.1x authentication.  Please turn on user debugging to find out what is happening:

     

    config t

    logging level debug user

     

    The controller stores the mac addresses in the internal database in the master controller.  By default, all local controllers authenticate to the master, so no need to duplicate.  You can optionally make each controller have a separate copy if its own mac addresses.

     



  • 3.  RE: MAC Authentication on WPA2 secured SSID

    Posted Feb 06, 2012 10:32 AM

    @cjoseph wrote:

    Yes, it does work.  If Layer2 Fail through is unchecked, if a device fails mac authentication, it does not proceed with 802.1x authentication.  With it checked, it will just proceed to 802.1x authentication.  Please turn on user debugging to find out what is happening:

     

    config t

    logging level debug user

     

    The controller stores the mac addresses in the internal database in the master controller.  By default, all local controllers authenticate to the master, so no need to duplicate.  You can optionally make each controller have a separate copy if its own mac addresses.

     


    OK, done...

     

    Not much is appearing in the logs... Getting a DHCP ACK for the mac, if I connect to the Layer3 auth'd SSID...



  • 4.  RE: MAC Authentication on WPA2 secured SSID

    Posted Feb 06, 2012 10:34 AM

    @eljay wrote:

    @cjoseph wrote:

    Yes, it does work.  If Layer2 Fail through is unchecked, if a device fails mac authentication, it does not proceed with 802.1x authentication.  With it checked, it will just proceed to 802.1x authentication.  Please turn on user debugging to find out what is happening:

     

    config t

    logging level debug user

     

    The controller stores the mac addresses in the internal database in the master controller.  By default, all local controllers authenticate to the master, so no need to duplicate.  You can optionally make each controller have a separate copy if its own mac addresses.

     


    OK, done...

     

    Not much is appearing in the logs... Getting a DHCP ACK for the mac, if I connect to the Layer3 auth'd SSID...


    Are you sure that you are enabling mac authentication for the correct AAA profile?

     



  • 5.  RE: MAC Authentication on WPA2 secured SSID

    Posted Feb 06, 2012 10:50 AM

    Apparently not...  :)

     

    There were no references to the test AAA profile i was using... So i've tweaked this. 

     

    Now I can see:- 

    localdb[1816]: <133005> <INFO> |localdb| User 00:19:7e:b3:57:5c authenticated Successfully Authenticated

     

    ... But i'm still prompted for a username for the 802.1x element... implying that both MAC AND 802.1x are required?



  • 6.  RE: MAC Authentication on WPA2 secured SSID
    Best Answer

    Posted Feb 06, 2012 11:13 AM

    For a client to connect successfully on an 802.1x network with encryption it needs a username or password.  That is not optional.  What is optional is passing mac authentication.   The client will not be allowed to connect without passing username and password authentication, no.

     

     

     



  • 7.  RE: MAC Authentication on WPA2 secured SSID

    Posted Feb 06, 2012 11:24 AM

    Ok, I suspected that to be the case. Many thanks for the confirmation.