Controllerless Networks

 View Only
last person joined: yesterday 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

Simple vlan assignment using mac address

This thread has been viewed 28 times
  • 1.  Simple vlan assignment using mac address

    Posted 6 days ago
    Hi there,

    I have an iap-205 (soon to be more, but I focus on one for the moment).

    I am trying to get my devices into several vlans, using a single SSID, in the simplest way possible. I have some devices that can't do 802.1x so I'd prefer not to use it, sticking to WPA-PSK.

    The GUI suggests you can simply match "mac address" for vlan assignment. It just doesn't work. I get the feeling it's not implemented this way, but I need to know for sure.

    What's the simplest alternative? Using the internal radius server and make it use the mac address?


  • 2.  RE: Simple vlan assignment using mac address

    EMPLOYEE
    Posted 6 days ago
    you can assign different role based on MAC addresses for a PSK based SSID.


     


    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 3.  RE: Simple vlan assignment using mac address

    Posted 5 days ago
    It looks to me your example is not exactly what I am after - matching on mac address, but I guess you're saying I'll have to use roles for this to work. It's cumbersome, but I will try.

    I am asking this because I am using a lot of simple microcontrollers that need to associate. In theory they'd be able to do WPA-enterprise too, but I fear that will take too much memory, so I think this will have to go on a WPA-personal SSID. As I'd like to have a minimum of SSID's, I want other devices to use it too, so I guess the only way to differentiate would be the mac address.

    I am already using a RADIUS server for another SSID (which is WPA-enterprise). If there is a way to connect the RADIUS server to the WPA-personal SSID, I could probably solve this by having the RADIUS server look at the mac address, but I don't think Aruba InstantOS supports using a RADIUS server on a WPA -personal SSID, right?


  • 4.  RE: Simple vlan assignment using mac address

    EMPLOYEE
    Posted 5 days ago
    yes generally i believe PSK based SSIDs dont support  RADIUS authentication.
    i have tried it with user role and PSK and you can easily put them in different user roles . The benefit of this approach is that, you can add other access policies to it. but if you want a simpler approach, then you ca add it at VLAN tab of the WLAN configuration, as shown here.



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 5.  RE: Simple vlan assignment using mac address

    Posted 4 days ago
    Thx. Actually I tried this and it didn't work, client was always assigned to the default vlan. Maybe I am doing it wrong somehow.


  • 6.  RE: Simple vlan assignment using mac address

    EMPLOYEE
    Posted 4 days ago
    what was the exact string you were trying to match?

    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 7.  RE: Simple vlan assignment using mac address

    Posted 2 days ago
    Not exactly an answer but this may be interesting for future google'ers.

    It may be possible to use mac authentication with the internal (role based) authenticator, but I decided to try something else and it works!

    I configured an SSID type "wpa personal" (so no user names used, nor certificates...) and checked the box "mac authentication". I was expecting, like I've seen on several other ap's for personal/small business use, a box to appear where you can configure mac addresses to be allowed.

    Instead, you get the same options as when using wpa enterprise, where you can select internal or external radius server. I selected my already working radius server and watched wat happened. Apparently the mac address is sent to radius in several TLV's, for instance "Calling-Station-Id" and "User-Name". It's also in the "User-Password" TLV. I made a very simple entry in the radius server where  username = password = mac address (without delimiter), assign vlan tag id and works!

    I am considering this for all my SSID's because strictly I don't need "enterprise" (username, certificates etc.) I just want different clients to end up in different vlans and this is exactly what it does!