I was wondering can we run MAC authentication first, then 802.1x for the same SSID? My customer have this odd request where only 1 ID can only use 1 device.
I was thinking of using MAC address authentication as a workaround solution, provided we can configure MAC authentication + 802.1x authentication in the same SSID
Yes, you can have both authorization methods enabled on the same SSID. To retain security, you should not allow same access for mac authenticated devices that you allow .1x authenticated devices. This would just negate all your hard work on .1x security if you just bypass it via unsecure mac authentication.
Usually in such situation you deploy role with limited access to mac auth clients and role with appropriate access to .1x clients.
This is something that can be easily accomplished through policy on some RADIUS servers (ClearPass for instance) but is not something that will be directly accomplished through the WLAN hardware.
Also, MAC auth on a WLAN utilizing EAP authentication methods is useless.
On a single SSID you can have MAC AND 802.1X - but not MAC-auth or 802.1X (trust me, I've been down he rabbit hole)
You could possibly try a derivation rule to match the MAC address and set a role, but I am not sure how that works with authentication in the event 802.1X fails... still might apply the user role.
What is your RADIUS server?
802.1X authentication REJECT will result in no WLAN connection. Which is why having MAC and 802.1X on the same WLAN is useless, you have to pass both to gain access and a separate MAC auth doesn't do anything productive.
Maybe some more info from the OP would be nice before we start telling customers what they want to do is useless?
It's not clear on whether they are asking if this one specific device can do MAC-auth only on their 802.1X SSID, or whether they simply need a policy that says:
if user eq joeshcmoe AND MAC noteq xx:xx then deny
If it is the latter, it wouldn't be MAC auth at all.
@dpjw36 can you clarify?
@bd_87 WE try to preemptively steer customers and vars clear of things that in the end are not secure or create more work for them with little to show for it.
There is a minority of customers that use mac authentication and for them we have to keep that feature.
For customers that are using any type of EAP, and are also Microsoft shops, it is trivial to enable auto enrollment via group policy and then turn on eap-tls. That is much easier than the adds/changes/deletions of managing a list of Mac addresses and much more secure.
Thanks for comments and feedbacks. There is no any CPPM in place, just an MM with 2 MC and 802.1x authentication is just using Microsoft NPS. Customer would like to have some users authenticate using mac addresses and the remaining users authenticate using 802.1x in the same SSID. Is it possible to do that without CPPM?
If your SSID is 802.1x, your client must support that layer 2 method (WPA2/3 enterprise) at minimum and the EAP type supported by the radius server. You cannot mix/match PSK with EAP-PEAP/TLS for example.
EDIT: If the devices all support WPA2 Enterprise, the customer can configure the verify caller-id property (the mac address with no delimeters) in the AD properties of that user and that will restrict that device to only the mac address in the verify caller-id box. I haven't used that setting in many years, so your mileage may vary. It is useful for binding a single (or a few) AD user accounts to single mac addresses when NPS is being used for authentication, but on a large scale, it is not practical:
Configuring User Dial-in Settings
------------------------------Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card------------------------------
Original Message:Sent: Sep 08, 2023 10:59 AMFrom: bd_87Subject: Can we run MAC authentication first, then 802.1x for the same SSID?
------------------------------ACNSP | ACCP | ACMP | ACEPOriginal Message:Sent: Sep 08, 2023 10:37 AMFrom: chulcherSubject: Can we run MAC authentication first, then 802.1x for the same SSID?
------------------------------Carson Hulcher, ACEX#110Original Message:Sent: Sep 08, 2023 10:31 AMFrom: bd_87Subject: Can we run MAC authentication first, then 802.1x for the same SSID?
------------------------------ACNSP | ACCP | ACMP | ACEPOriginal Message:Sent: Sep 06, 2023 06:57 AMFrom: dpjw36Subject: Can we run MAC authentication first, then 802.1x for the same SSID?
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.