Wireless Access

 View Only

  • 1.  WPA3-AES-CCM-128 with EntraID as CloudAuth + MAC filtering

    Posted Oct 14, 2024 09:53 AM

    HI!

    I am Aruba central admin
    We have few AP 535 and few AOS-S switches
    I configured SSID "WIFIenterprise" WPA3-AES-CCM-128 with EntraID as CloudAuth
    And SSID "Guest" with another encryption.
    Please? help me how to configure MAC filtering only for SSID "WIFIenterprise"



  • 2.  RE: WPA3-AES-CCM-128 with EntraID as CloudAuth + MAC filtering

    Posted Oct 14, 2024 03:24 PM

    What you are asking for isn't currently a supported setup from Central NAC.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 3.  RE: WPA3-AES-CCM-128 with EntraID as CloudAuth + MAC filtering

    Posted Oct 21, 2024 07:51 AM

    Thanks

    And what are that menu used for (see 2 screenshots

    Client access policy
    User for internal server

    )?


    Original Message


  • 4.  RE: WPA3-AES-CCM-128 with EntraID as CloudAuth + MAC filtering

    Posted Oct 21, 2024 09:29 AM

    First screenshot, the client access policy is for MAC authentication, like on an open/enhanced open/PSK/WPA3-SAE or wired (MacAuth/MAB) scenario.

    WPA3-Enterprise (AES-128 CCM) is strong authentication based on an identity, with Cloud Auth it's certificate based controlled by Okta/EntraID/Google-Workspace. You would use the MAC authentication for networks where WPA3-Enterprise is not possible, like headless or IoT devices.

    The second screenshot is the internal user database inside of the AP, which can be used for multiple use-cases but in general not when you use Cloud Auth.

    Adding MAC authentication (weak authentication, trivial to spoof/avoid) to a WPA3-Enterprise (strong security authentication) does not add a lot of security in general and is not so common for that reason.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 5.  RE: WPA3-AES-CCM-128 with EntraID as CloudAuth + MAC filtering

    Posted Oct 21, 2024 09:49 AM

    Thank you for your answer!


    Is it possible to use MAC authentication together with cloud authentication (EntraID) for the SSID "WIFIenterprise" at the same time (for example, cloud authentication takes place only after successful passing of MAC authentication)?

    I'm looking for a solution to ensure that a user who can pass cloud auth, additionally passes mac auth.


    Original Message


Related Content