Aruba Employee
Aruba Employee

Why doesn't clients do MAC authentication when switching from one VLAN to another?


Web-based Onboarding is enabled with 2 SSIDs with 1st SSID is used to onboard device and capture the MAC address while 2nd SSID would allow connection.


For optimal performance; Aruba's current design caches MAC authentication result  (i.e. failure or successs) and reuses it for attempts made until the user's entry is present in controller. 

Device Onboarding is a special scenario where MAC authentication fails on initial attempt and passes on the eventual attempts. In this case; caching first authentication would result in device not attempting MAC authentication second time. To avoid this; we can "registration role" option on the initial role of the 1st SSID. This would ensure that MAC authentication result isn't cached and authentication is performed against the server on reconnection.

Example ::

AAA Profile mapped to  SSID with VLAN 101. User would first connect to this SSID for Device enrollment.

aaa profile "clp-guest-aaa"

   initial-role "clp-pre-auth"

   authentication-mac "clp-guest"

   mac-default-role "authenticated"               

   mac-server-group "cppm-srv-grp"                


AAA Profile mapped to SSID with VLAN 102. After device enrollment; user would connect to this SSID.  


aaa profile "clp-mdm-aaa"                         

   initial-role "clp-mdm-user"                    

   authentication-mac "clp-guest"                 

   mac-default-role "clp-mdm-user"                

   mac-server-group "cppm-srv-grp"                


With MAC Auth enabled of first SSID; we would have to make it's initial-role as registration role for MAC auth to happen again when user connects to second SSID.
user-role clp-pre-auth

 captive-portal "default"


 access-list session geotrust-crl

 access-list session logon-control

 access-list session captiveportal

 access-list session vpnlogon

Version history
Revision #:
1 of 1
Last update:
‎06-27-2014 01:32 PM
Updated by:
Search Airheads
Showing results for 
Search instead for 
Did you mean: