Controllerless Networks

Hi,

 

Current scenario:

 

Virtual Controller set by 13 IAP 103.

 

What the client wants:

 

First level of authentication: MAC Address - the client wants to allow only specific machines to access the Corporate Network.

Second level of authentication: Client's RADIUS Server - After passing the machine the user authenticates against the Corporate RADIUS Server.

 

I've already read some of the threads referring to this kind of topic but found none specifically for this kind of implementation:

 

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/IAP-MAC-Authentication-with-Internal-Server-issue/td-p/112357

 

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/How-can-I-filter-smart-phones-from-connecting-to-my-WLAN/m-p/111101/highlight/true#M23821

 

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/External-MAC-Database/td-p/36576

 

Is this even possible on IAPs?

 

From the aforementioned posts I got the feeling that this is only possible having AAA profiles. 

Most probably I'm mistaken but I don't see that possibility on the IAPs.

 

TIA,

Pedro

Do you have ClearPass? You should really handle this with a policy engine and not on the Instant cluster itself.

The short answer is you can do it using the instructions here EDIT: BUT you need an external radius server http://community.arubanetworks.com/t5/Controller-less-WLANs/How-do-I-configure-802-1x-with-MAC-authentication-on-the-same/ta-p/179168

Long answer, just like Cappalli said, it is better to do all policy in one place on a radius server to avoid issues.

Hi Colin,

 

That's one of my problems.

 

The client tried to have its RADIUS server authenticating the MAC Addresses. We followed these instructions:

Creating User Accounts in Active Directory for MAC-based Authentication Table of Contents

No headers

With MAC based authentication, domain member computers use the MAC address of their wireless interface as the username and password. Therefore each domain computer requires an associated Windows User account in Active Directory to authenticate. This User account is not the same as its Active Directory computer object. After the User accounts have been created, they can be placed in a Windows security group for authentication.

Suppose a Windows domain member computer has the MAC address 01:23:45:67:8a:bc on its wireless interface. When connecting to an SSID where MAC based authentication is required, the computer will send its username and password as 01234679abc. This is the MAC address without uppercase or delimiting characters.

1. Open Active Directory Users and Computers console.
2. Right click the OU where you want to create the User account.
3. Select New>User.
4. Enter a value in the Full name field.
5. Enter the MAC address without uppercase or delimiting characters for User logon name.
6. Click Next.
7. Enter the password which is the same string as the User logon name. Make sure to check User cannot change password and Password never expires.
8. Click Next.
9. Click Finish.

Perform these steps for each computer you want to authenticate. Once the User accounts are created add them to the appropriate Windows security group that is specified in the NPS policy.

###################################################################################

 

Unfortunately, by client's own domain rules, passwords have to have some degree of complexity thus rendering it impossible to do it this way.

 

What I was trying to achieve in the Virtual Controller was something like this:

 

For MAC authentication:

Create internal users with the devices MAC Addresses and have them authenticate againsta the controllers Internal Server.

 

having passed this level of authentication then I should go to the RADIUS Server.

 

But I think this is not possible.

No this is not possible, IAP cannot use its internal DB for MAC auth and then use an external DB for 802.1x.

Are these windows or non-windows clients?

Yan Liu
Product Manager
Aruba Instant
US: +1 650 996 3520
China: +86 136 212 16844

Sent from my iPhone

Hi Yan,

 

We haven't actually got into the definition of the devices to connect. But, being the employees network, I think it is fair to assume that these would be certified Windows laptops connecting to this network.

 

What the client doesn't want, mainly, are devices that are not controlled by their policies connecting to the network (e.g. smartphones, tablets, etc).

 

Thanks for your reply.

 

Cheers,

Pedro

The quick simple solution would be to only allow Machine Authentication.

Yes, machine authentication is the best way to ensure only corporate issued windows machines with both machine and user accounts in the Active Directory domain can connect to the network.

Yan Liu
Product Manager
Aruba Instant
US: +1 650 996 3520
China: +86 136 212 16844

Sent from my iPhone

Hi Tim,

 

Unfortunately, for the client, just the machine authentication is not enough (MAC Addresses are easily spoofed). It has to have both levels of authentication.

 

So, in conclusion, just with the Virtual Controller of IAPs it is not possible to have these two levels of authentication.

 

That would only be possible having ClearPass and defining these policies in its RADIUS.

 

That's what I will say to the client.

 

Thanks for all the help.

 

Cheers,

Pedro

Machine authentication does not use a MAC address. It uses the computer's AD account to authenticate to the network.

Machine authentication means that both the machine account and the user account have to be authenticated against the RADIUS server before the client will get full access.  It should be able to satisfy the security requirement, I believe.

So, what you are saying is that in my SSID security level I'll skip MAC Authentication and let the RADIUS server do all the work (Machine Authentication). Something like this:

 

RADIUS: Configuring PEAP-MSCHAPv2 - Machine Authentication

 

WPA2-Enterprise with 802.1x authentication can be used to authenticate users or computers in an Active Directory domain. The supplicant (wireless client) authenticates against the RADIUS server (authentication server) using an EAP method configured on the RADIUS server. The gateway APs (authenticator) role is to send authentication messages between the supplicant and authentication server. This mean the RADIUS server is responsible for authenticating users. APs perform EAPOL exchanges between the supplicant and convert these to RADIUS Access-requests messages which are sent to the RADIUS servers IP address and UDP port specified in Dashboard. Gateway APs need to receive a RADIUS Access-accept message from the RADIUS server in order to grant the supplicant access to the network. For best performance, it is recommended to have the RADIUS server and gateway APs located within the same layer-2 broadcast domain to avoid firewall, routing, or authentication delays. Keep in mind the AP is not responsible for authenticating wireless clients and acts as an intermediary between clients and the RADIUS server. Below are the steps to configure WPA2-Enterprise with 802.1x authentication using PEAP EAP-MSCHAPv2 on a Windows NPS server. PEAP EAP-MSCHAPv2 is a widely supported EAP method among hardware and software manufacturers.

Install an Active Directory based PKI and deploy the CA chain to domain member systems using Group Policy.

Obtain a digital certificate on the NPS server using Active Directory enrollment.

Configure an SSID to use WPA2-Enterprise with 802.1x authentication in Dashboard.

Add APs as RADIUS clients on the NPS server and configure PEAP-MSCHAPv2 policy in NPS.

Deploy PEAP-MSCHAPv2 wireless network settings to domain member computers using Group Policy.

Please follow the KB articles in the order below to accomplish each of the steps presented above.

 

Yes


Thanks,
Tim

Yes, you should fully disale MAC authentication and follow the user guide to enable machine authentication. 

 

if you follow the relevant sections in the user guide, you should find instructions to define three roles for machine authentication:  a machine-only role, a user-only role, and a full-access role.  A client whose machine account is authenticated but not user-authenticated will get the machine-only role.  A client whose user account is authenticated but machine account is not authenticated will get the user-only role.  Only a client that has both types of accounts authenticated will get full access role.  This way you should have very graunular control over security, and only let corporate issued clients get the full role.

Tim and Yan,

 

That sounds perfect. I'll go ahead and try it.

 

Thanks for all the help.

 

 

Hi Tim,

 

I checked the client's PO and there is no reference to ClearPass

 

I'll go ahead and assume (never worked with it) that ClearPass is some sort of platform that will enhance some of the IAPs capabilities, including a possible solution for this particular approach. Is that correct?

 

In other words, just with the virtual controller, it is not possible two have these two levels of authentication. correct?

 

Thanks for your kind reply.

Can you put both the Mac addresses and the user accounts on the client's RADIUS server? Create user accounts in the RADIUS server with the MAC address for both the username and password, and then specify that server on the SSID, with both MAC auth and 802.1x enabled. IAP will then first use MAC to authenticate against the RADIUS server and then use 802.1x to authenticate.

Thanks,

Yan Liu
Product Manager
Aruba Instant
US: +1 650 996 3520
China: +86 136 212 16844

Sent from my iPhone