10-24-2019 08:07 PM
With aruba controller 7010, is it possible to configure both MAC authen and 802.1X together for 1 SSID (MAC will config/authen before on local controller, then 802.1x will authen with external radius) ?
Solved! Go to Solution.
10-24-2019 11:30 PM
Yes, that is possible, you have to configure MAC Auth in the AAA Profile.
Clients will get the MAC authentication default role if they pass 802.1x authentication AND mac authentication. If they do not pass MAC authentication, they will not be allowed to connect.
In the AAA profile if you enable "layer 2 failthrough", devices that pass 802.1x authentication, but fail MAC authentication will still get the default 802.1x role in the AAA profile and be able to pass traffic.
But why would you do MAC auth before 802.1X?
To get a more secured MAC auth I would lead with Tools like ClearPass which is doing Fingerprinting to prevent MAC spoofing.
Re: Aruba Controller 7010 - 802.1X and MAC authentication
10-25-2019 02:00 AM
Before that I did using IAP Instant 215 and it had feature "Perform MAC authentication before 802.1X", only one thing that on AP-215 cannot combine 802.X with external radius and MAC authen on local AP-215, required MAC have to add on the same external radius with 802.1X. So I think it the same when migrate to controller 7010.
Clearpass is the next step on our migration.