Cloud Managed Networks

 View Only
last person joined: yesterday 

Forum to discuss all things related to HPE Aruba Networking Central and UXI Network Management, including deployment of managed networks, configuration, best practices, APIs, Cloud Guest, AIOps, Presence Analytics, and other included Applications
Expand all | Collapse all

Aruba Central - SSID MAC whitelisting

This thread has been viewed 42 times
  • 1.  Aruba Central - SSID MAC whitelisting

    Posted May 20, 2024 08:42 PM


    I want to create a SSID that is open (no PSK or certificate) and blocking all MAC addresses except the ones I whitelist.
    We're using 615s in Aruba Central.

    I see an option for MAC address deny listing in Device > SSID name > Security > Advanced > MAC Authentication and Deny listing but no option for whitelisting.

    How do I set up a whitelist to allow certain devices to connect to a SSID but block all others no on the whitelist?

    Thank you. 

  • 2.  RE: Aruba Central - SSID MAC whitelisting

    Posted May 21, 2024 09:11 AM

    Under the same Advanced Settings you can select the "Primary Server" and set your Radius server and then add the Mac-addresses that you want to allow. An External server is an option but If you utilize the "IntenralServer" then you would just add the users by selecting the "Manage Users" link and add the user with the mac-add being the username and password. If you select Cloud Auth you can then add the mac-addresses under the Global-> Security->Authentication & Policy->Config->Manage MAC Registration

  • 3.  RE: Aruba Central - SSID MAC whitelisting

    Posted May 21, 2024 10:29 PM

    Hi JPuck,

    Am I understanding the 2 options correctly?
    1 - Use an internal Radius server (eg). Microsoft NPS server. In this scenario, I would have to add entries for each MAC address on the NPS server.

    2 - Use an idP (eg) Azure Entra. I'd have to add the MAC addresses in Entra.

    Is there no option to just do the list on the Aruba Central cloud controller?

    Thank you.

  • 4.  RE: Aruba Central - SSID MAC whitelisting

    Posted May 21, 2024 10:52 PM

    I apologize for the confusion. There are 2 options for this that don't require an external radius server. 

    1.  You can input the mac-addresses local to the AP's. Username and pwd of the user is the mac-address. Type has to be Employee. I've attached mac-auth-internal and mac-auth-internal2 images to show this config. 

    2. You can utilize CloudAuth. While this is part of the CloudAuth feature set within Central it is seperate than the Entra/Google setup. You can just add the mac-address and assign a username to the mac-address. I've attached 2 files mac-auth-cloudauth and mac-auth-cloudauth2 showing this setup. 

  • 5.  RE: Aruba Central - SSID MAC whitelisting

    Posted May 21, 2024 11:35 PM

    Hi JPuck,

    Thanks for your help thus far.

    Issue I'm seeing is in my environment, I don't have 'InternalServer' as an option. Just Cloud Auth and our Microsoft NPS servers.
    I tried the + symbol to add a server but they all require an IP address.

    See my attachment.

    Thank you

  • 6.  RE: Aruba Central - SSID MAC whitelisting

    Posted May 21, 2024 11:48 PM

    I didn't realize you were running AOS10. AOS10 won't have the "internal server" option like AOS8. With AOS10 the only Central Only option you would have is to use CloudAuth which I prefer as it allows you to assign a user to the mac-address to help with client identification. Select "CloudAuth" and then just add your mac-addresses in Cloud Auth. This can be done via a CSV file or input one mac-addres at a time. 

  • 7.  RE: Aruba Central - SSID MAC whitelisting

    Posted May 22, 2024 12:02 AM

    I've selected CloudAuth.

    Now when I go back to Global > Security > Authentication & Policy > Config > Manage MAC registrations.
    I can add a MAC address, but I get 'No client role has been selected for default rule, all MAC-based auths will be denied. Go to client policy for more details. (see attachment 1).

    I tried to then go into 'Client Access Policy' to configure a client role as in the guide (Configuring the Global Client Roles ( but there's no Client Roles tab (see attachment 2).

    Thank you 

  • 8.  RE: Aruba Central - SSID MAC whitelisting

    Posted May 22, 2024 12:33 AM

    You are at the correct area. You just need to select a client role for the "unspecified" and that will be the default role.  If your desired role isn't in the list you can create one in the Security/Roles configuration section.

  • 9.  RE: Aruba Central - SSID MAC whitelisting

    Posted May 23, 2024 11:51 PM

    I have it working now.

    Thank you JPuck.