Security

Hi all, 

Has anyone had any success getting devices to authenticate via MAC, on a WLAN which uses 802.1x? (on Aruba OS version 6.1.2.3)

Other forum posts seem to suggest that if you have MAC auth and 8021.x enabled, and the fall-through tick box enable, devices should attempt MAC authentication first, and follow up with 802.1x If this fails. (Unless I have mis-understood...)

However, so far devices which i attempt to do this with refuse to connect, instead, insisting I enter username credentials. the process logs are not actually showing anything up. The same profiles connecting to Layer3 authenticated SSID works OK.

Also, does each controller keep a speretate list of MAC addresses, or does the Master push out lists to the Locals? (Adding the same user to up to 6 seperate controllers might get a bit tiresome!)

Any help would be very much appreciated.

Yes, it does work.  If Layer2 Fail through is unchecked, if a device fails mac authentication, it does not proceed with 802.1x authentication.  With it checked, it will just proceed to 802.1x authentication.  Please turn on user debugging to find out what is happening:

config t

logging level debug user

The controller stores the mac addresses in the internal database in the master controller.  By default, all local controllers authenticate to the master, so no need to duplicate.  You can optionally make each controller have a separate copy if its own mac addresses.

---

@cjoseph wrote:

Yes, it does work.  If Layer2 Fail through is unchecked, if a device fails mac authentication, it does not proceed with 802.1x authentication.  With it checked, it will just proceed to 802.1x authentication.  Please turn on user debugging to find out what is happening:

 

config t

logging level debug user

 

The controller stores the mac addresses in the internal database in the master controller.  By default, all local controllers authenticate to the master, so no need to duplicate.  You can optionally make each controller have a separate copy if its own mac addresses.

 

---

OK, done...

Not much is appearing in the logs... Getting a DHCP ACK for the mac, if I connect to the Layer3 auth'd SSID...

---

@eljay wrote:

---

@cjoseph wrote:

Yes, it does work.  If Layer2 Fail through is unchecked, if a device fails mac authentication, it does not proceed with 802.1x authentication.  With it checked, it will just proceed to 802.1x authentication.  Please turn on user debugging to find out what is happening:

 

config t

logging level debug user

 

The controller stores the mac addresses in the internal database in the master controller.  By default, all local controllers authenticate to the master, so no need to duplicate.  You can optionally make each controller have a separate copy if its own mac addresses.

 

---

OK, done...

 

Not much is appearing in the logs... Getting a DHCP ACK for the mac, if I connect to the Layer3 auth'd SSID...

---

Are you sure that you are enabling mac authentication for the correct AAA profile?

Apparently not...  :)

There were no references to the test AAA profile i was using... So i've tweaked this. 

Now I can see:- 

... But i'm still prompted for a username for the 802.1x element... implying that both MAC AND 802.1x are required?

For a client to connect successfully on an 802.1x network with encryption it needs a username or password.  That is not optional.  What is optional is passing mac authentication.   The client will not be allowed to connect without passing username and password authentication, no.

Ok, I suspected that to be the case. Many thanks for the confirmation.