I recently inherited an Aruba 6000 system (ver 126.96.36.199) that was set up by a predecessor, naturally without documentation whatsoever.
We have a hidden SSID for Mac authentication of certain devices to bypass our captive portal, and the internal database has a number of entries in it. Unfortunately, our setup differs slightly from what I've been able to glean from the manual pages and various KBs that I've come across. The main issue seems to be that, well, it is allowing anyone and everyone to connect.
Also, they had the database set up so that the usernames were "friendly names" (i.e. 'Bob's laptop') and the password as the MAC address. That allowed them on, so they concluded the setup complete. Unfortunately, as it appears to be completely ignoring the database, that probably never worked.
I'm still working my way around the system a bit, so I'm not sure really what would be helpful for anyone to see for this issue. I can of course provide screenshots all day long, but I'm not sure most of them would be of any benefit. What would be helpful to check in chasing down this aggravating issue?
Thanks for any assistance you can provide!
Can you please share your aaa profile config attach to that VAP ?
show wlan virtual-ap <virtual ap name>
show aaa profile <profile name>
- Make sure you have the aaa mac authentication profile enabled
- Make sure you have the mac server group pointed to the internal database
- And under the mac auth role whatever role you want those you users to get once they get a successful mac auth
In addition to Victor's suggestions, make sure of the following.
- within the internal database, the username and password should be the MAC of the device (not the "friendly names")
- the initial role in the AAA profile should be your captive portal role
- as Victor states, the default mac authentication role should be the "bypass" role
It seems quite obvious now that I'm looking in the proper place. The initial role was set to be MAC-Computers, which is what the authenticated role was supposed to be.
I changed it to denyall as the initial role, as the purpose behind the MAC SSID was to bypass the captive portal page (for e-readers, etc). This seems to be keeping rogue machines off the network. Here's my configs just in case anyone else runs across this issue (bolded the changed line), or in case there's a problem with doing it this way.
Thanks for the quick suggestions!
(Aruba6000) # show aaa profile MAC-Computers
AAA Profile "MAC-Computers"
Initial role MAC-Computers
MAC Authentication Profile MAC-Computers
MAC Authentication Default Role MAC-Computers
MAC Authentication Server Group default
802.1X Authentication Profile N/A
802.1X Authentication Default Role MAC-Computers
802.1X Authentication Server Group N/A
L2 Authentication Fail Through Disabled
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled
And after the change:
Initial role denyall
Brian, for what its worth, if the only purpose of this SSID is for bypassing captive portal via MAC authentication; you could do this all in one SSID. You could setup an SSID with the initial role set to your captive portal logon role and in the same profile setup MAC authentication and its default role to bypass the initial role.
The fewer SSIDs, the better.....
Interesting--I hadn't really thought of that.
The only caveat would be that there are some additional exceptions in the stateful firewall for the MAC SSID that aren't found in the "normal" public. Would combining both roles limit the ability to allow MAC authenticated machines to have access to a separate firewall whitelist?
If you had a single SSID with an initial role of captive portal and a mac authentication role of let's say "mac-authd" or whatever you call it today on your other SSID. Each connecting device will get the appropriate role and firewall rules/ACLs behind it. Essentially they behave the same; just on the other SSID.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.