Occasional Contributor II

MAC Authentication

Hi all,

I need to do MAC authentication for a couple of machines that will be connected via a wired port on a RAP5.

Looking at the user guide, I see that I need to add a new user to the internal database, with the username and password both as the MAC address (using the appropriate delimiter as specified in the 'MAC authentication profile').

Once I've done this, the guide doesn't state (or I cant find where) what to do next. I presume that I need to use the server group 'internal' (as the username is stored in the internal DB). I note that there is an AAA profile 'default-mac-auth' however this doesn't reference the internal server group. A suitable AAA profile must then be selected in the wired port profile section.

Can anyone comment on my presumptions, and the (potential) discrepancy for the use of the profile default-mac-auth without the internal server group?

Also, when a user is created in the internal database on our master, is there any way to automatically sync this to the local controller(s) in the network?

Guru Elite

Re: MAC Authentication

Mac authentication is performed when:

- A mac authentication profile is created in a AAA profile
- A mac authentication server group is added to the AAA profile, as well

The mac authentication profile activates mac authentication and determines if the mac address is going to be submitted to the mac authentication server with or without delimiters, in capitals or small letters. This will determine how you add the mac address as a user and password to the internal database.

To do wired mac authentication, you need to make that wired port profile untrusted (important), and then attach a AAA profile to that wired port profile that has a mac authentication profile, as well as a mac authentication server group configured (if you are using the internal database, you can just select the internal database server group). You should also configure a mac authentication default role in the AAA profile which will determine what role the device will get when it authenticates sucessfully via mac address. If the wired user does not pass mac authentication, it will stay in the initial role of the AAA profile

You should also turn on user debugging to see whether the user passes, or fails and why:

config t
logging level debug user
show log user

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: MAC Authentication

Thanks for another quick reply Colin, I'll give that a shot.

Search Airheads
Showing results for 
Search instead for 
Did you mean: