WPA-PSK and VLAN assignment via MAC address
I have a need to be able to place arbitrary devices such as wireless enabled printers on an arbitrary VLAN. The most secure wireless auth method that many of these devices support seems to be WPA-PSK. Having authentication of a device rely strictly on a PSK is less than desirable. Also I'd like to avoid having a per-device SSID to place them on the appropriate VLANs.
In my mind I should be able to have a common SSID with a shared PSK and assign the devices to the appropriate VLAN based on the devices MAC address. In order to have this be scriptable and long-term maintainable I'd like to have the VLAN mapping done via RADIUS. Is there any way to configure the controller to validate the PSK then send a RADIUS login request consisting of the MAC address and have RADIUS instruct the controller what policy or VLAN to place them in?
All I'm finding so far is information on Windows Machine based authentication and there would be no Windows involved on either end of this. Any ideas on how to implement such a thing would be appreciated, Thanks!
You can enable MAC authentication for the SSID by enabling it under the AAA profile in use. Under Configuration > Authentication > L2 Authentication, you can setup a MAC authentication profile that controls how the MAC addresses are checked (delimiter and upper/lower case). Once you create it the way you like it, go into Configuration > Authenticaiton > AAA Profiles and create a new profile. Under MAC authentication profile, select the profile you just created. Under MAC authentication server group, select the group that contains your RADIUS server. Enter the MAC address of your clients as the RADIUS username and password AND set a VSA (you may have to load the Aruba RADIUS dictionary file from the support site) of Aruba-User-VLAN. In the Aruba-User-VLAN attribute, pass back the VLAN number.
Now, when someone connects to the SSID, the controller will validate the PSK and the RADIUS server will validate the MAC address and return the VLAN the device should be placed into.
The built-in server group default will authenticate mac addresses to the internal database; radius is an option. If you configure a MAC authentication profile and authenticate to the server-group default, you can just add the mac addresses to the local database of the controller (username AND password is the mac address). The server-group default also has a rule "set role condition role value-of", which means that if you add the mac addresses to the local database with a particular role, it will override the default mac authentication role that users will get if they pass mac authentication. This means you can have a default role that users would normally get for passing mac authentication if their mac address does not have a role specified in the internal database. You can also add mac addresses with a defined role that will override the default for special devices like a printer, that you specified.