Wireless Access

 View Only
last person joined: 12 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

802.1x + Mac authen

This thread has been viewed 11 times
  • 1.  802.1x + Mac authen

    Posted Dec 07, 2021 12:05 PM
    Hello everyone!

    My customer recently purchase 7005 controller and want to set up a SSID using "802.1X with Windows NPS" + "Mac authen with internal DB".
    I tried to set up but the role that the client got last is confusing me. 

    Base on my understanding the flow should be like:  
    internal DB mac authen -> client get mac authen default role -> 802.1x external AD authen -> client get 802.1x default role.  Is this not correct?

    Or should it be like this:
    802.1x external AD authen -> client get 802.1x default role -> internal DB mac authen -> client get mac authen default role.

    Sorry if my question is dumb, I am very new to aruba :P

    Best Regards,
    Kenji Wong



    ------------------------------
    kenji Wong
    ------------------------------


  • 2.  RE: 802.1x + Mac authen

    Posted Dec 07, 2021 02:52 PM
    MAC-AUTH will happen before 802.1x.

    ------------------------------
    Dustin Burns
    Lead Mobility Engineer @WEI

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2021
    If my post was useful accept solution and/or give kudos
    ------------------------------



  • 3.  RE: 802.1x + Mac authen

    Posted Dec 07, 2021 09:30 PM
    @DB86 Thanks for the reply. That's what I thought in the first place. However the result is interesting.

    At the first tried, after the client online, he got the Machine Authentication: Default User Role from 802.1X authen profile instead of 802.1X Authentication Default Role from AAA profile.

    Then I tried to figure out why by disable the Enforce Machine Authentication in 802.1X authen profile and connect the SSID again. This time, the client got the 802.1X Authentication Default Role from AAA profile, he also could not connected to the SSID if I disable the mac address from internal database.

    Therefore, my question is what does Enforce Machine Authentication do? Is this only used when I need to authen the mac address form external radius? If I only want to authen the mac address by internal database then I don't need to tick that ?

    I am sorry for so many question.

    Kenji 


    ------------------------------
    kenji Wong
    ------------------------------