Wireless Access

 View Only
last person joined: 3 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Can we run MAC authentication first, then 802.1x for the same SSID?

This thread has been viewed 45 times
  • 1.  Can we run MAC authentication first, then 802.1x for the same SSID?

    Posted Sep 06, 2023 06:58 AM

    Hi,

    I was wondering can we run MAC authentication first, then 802.1x for the same SSID? My customer have this odd request where only 1 ID can only use 1 device.

    I was thinking of using MAC address authentication as a workaround solution, provided we can configure MAC authentication + 802.1x authentication in the same SSID



  • 2.  RE: Can we run MAC authentication first, then 802.1x for the same SSID?

    Posted Sep 07, 2023 02:57 AM

    Yes, you can have both authorization methods enabled on the same SSID. To retain security, you should not allow same access for mac authenticated devices that you allow .1x authenticated devices. This would just negate all your hard work on .1x security if you just bypass it via unsecure mac authentication.

    Usually in such situation you deploy role with limited access to mac auth clients and role with appropriate access to .1x clients.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Expert 2023
    ------------------------------



  • 3.  RE: Can we run MAC authentication first, then 802.1x for the same SSID?

    EMPLOYEE
    Posted Sep 07, 2023 11:54 AM

    This is something that can be easily accomplished through policy on some RADIUS servers (ClearPass for instance) but is not something that will be directly accomplished through the WLAN hardware.

    Also, MAC auth on a WLAN utilizing EAP authentication methods is useless.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 4.  RE: Can we run MAC authentication first, then 802.1x for the same SSID?

    Posted Sep 08, 2023 10:31 AM

    On a single SSID you can have MAC AND 802.1X - but not MAC-auth or 802.1X (trust me, I've been down he rabbit hole)

    You could possibly try a derivation rule to match the MAC address and set a role, but I am not sure how that works with authentication in the event 802.1X fails... still might apply the user role.

    What is your RADIUS server?



    ------------------------------
    ACNSP | ACCP | ACMP | ACEP
    ------------------------------



  • 5.  RE: Can we run MAC authentication first, then 802.1x for the same SSID?

    EMPLOYEE
    Posted Sep 08, 2023 10:37 AM

    802.1X authentication REJECT will result in no WLAN connection.  Which is why having MAC and 802.1X on the same WLAN is useless, you have to pass both to gain access and a separate MAC auth doesn't do anything productive.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 6.  RE: Can we run MAC authentication first, then 802.1x for the same SSID?

    Posted Sep 08, 2023 10:59 AM

    Maybe some more info from the OP would be nice before we start telling customers what they want to do is useless?

    It's not clear on whether they are asking if this one specific device can do MAC-auth only on their 802.1X SSID, or whether they simply need a policy that says:

    if user eq joeshcmoe AND MAC noteq xx:xx then deny

    If it is the latter, it wouldn't be MAC auth at all.

    @dpjw36 can you clarify?



    ------------------------------
    ACNSP | ACCP | ACMP | ACEP
    ------------------------------



  • 7.  RE: Can we run MAC authentication first, then 802.1x for the same SSID?

     
    Posted Sep 08, 2023 11:39 AM

    @bd_87 WE try to preemptively steer customers and vars clear of things that in the end are not secure or create more work for them with little to show for it. 

    There is a minority of customers that use mac authentication and for them we have to keep that  feature. 

    For customers that are using any type of EAP, and are also Microsoft shops, it is trivial to enable auto enrollment via group policy and then turn on eap-tls.  That is much easier than the adds/changes/deletions of managing a list of Mac addresses and much more secure. 



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 8.  RE: Can we run MAC authentication first, then 802.1x for the same SSID?

    Posted Sep 17, 2023 02:59 PM

    Hi Guys,

    Thanks for comments and feedbacks. There is no any CPPM in place, just an MM with 2 MC and 802.1x authentication is just using Microsoft NPS. Customer would like to have some users authenticate using mac addresses and the remaining users authenticate using 802.1x in the same SSID. Is it possible to do that without CPPM? 




  • 9.  RE: Can we run MAC authentication first, then 802.1x for the same SSID?

     
    Posted Sep 17, 2023 03:30 PM

    If your SSID is 802.1x, your client must support that layer 2 method (WPA2/3 enterprise) at minimum and the EAP type supported by the radius server.  You cannot mix/match PSK with EAP-PEAP/TLS for example.

    EDIT:  If the devices all support WPA2 Enterprise, the customer can configure the verify caller-id property (the mac address with no delimeters) in the AD properties of that user and that will restrict that device to only the mac address in the verify caller-id box.  I haven't used that setting in many years, so your mileage may vary.  It is useful for binding a single (or a few) AD user accounts to single mac addresses when NPS is being used for authentication, but on a large scale, it is not practical:

     Configuring User Dial-in Settings

    Tomsk remove preview
    Configuring User Dial-in Settings
    On a stand-alone server, you configure dial-in settings on the Dial-in tab of the Properties dialog box for a user account in Local Users and Groups. For an Active Directory-based server, the dial-in settings are found on the Dial-in tab of the Properties dialog box for a user account in Active Directory Users and Computers.
    View this on Tomsk >



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------