Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

Aruba Controller 7010 - 802.1X and MAC authentication

This thread has been viewed 9 times

  • 1.  Aruba Controller 7010 - 802.1X and MAC authentication

    Posted Oct 24, 2019 11:07 PM

    Hello,

     

    With aruba controller 7010, is it possible to configure both MAC authen and 802.1X together for 1 SSID (MAC will config/authen before on local controller, then 802.1x will authen with external radius) ?



  • 2.  RE: Aruba Controller 7010 - 802.1X and MAC authentication
    Best Answer

    EMPLOYEE
    Posted Oct 25, 2019 02:31 AM

    Yes, that is possible, you have to configure MAC Auth in the AAA Profile.

     

    Clients will get the MAC authentication default role if they pass 802.1x authentication AND mac authentication. If they do not pass MAC authentication, they will not be allowed to connect.

    In the AAA profile if you enable "layer 2 failthrough", devices that pass 802.1x authentication, but fail MAC authentication will still get the default 802.1x role in the AAA profile and be able to pass traffic.

     

    But why would you do MAC auth before 802.1X?
    To get a more secured MAC auth I would lead with Tools like ClearPass which is doing Fingerprinting to prevent MAC spoofing.



  • 3.  RE: Aruba Controller 7010 - 802.1X and MAC authentication

    Posted Oct 25, 2019 05:00 AM

    Thank, Cordless

     

    Before that I did using IAP Instant 215 and it had feature "Perform MAC authentication before 802.1X", only one thing that on AP-215 cannot combine 802.X with external radius and MAC authen on local AP-215, required MAC have to add on the same external radius with 802.1X. So I think it the same when migrate to controller 7010.

     

    Clearpass is the next step on our migration.