Controllerless Networks

If using the Instants with 802.1X (external) and MAC authentication, where do the MAC addresses need to be entered? Can the MAC addresses be entered in the Internal Database, and then use the external RADIUS server for 802.1X, or do they both need to use the external RADIUS server? If the MAC addresses have to be authenticated by the RADIUS server, is there any documentation on how to configure the RADIUS server? Thanks!

They should both be in the same place. WIth 802.1X, you're using a MAC address as authorization data. 

 

What RADIUS server are you using?

I'm using Windows Server 2008 NPS. If I just use RADIUS authentication I can connect to the SSID. If I check the box "Perform MAC authentication before 082.1X" I can't get connected. I was thinking I could put the MAC address of the client in the Internal Database as both the username and the password, but that doesn't seem to work. I noticed in the user guide that it states "MAC authentication shares all the authentication server configurations with 802.1X authentication," which seems to indicate that my Windows NPS server should authenticate the MAC address. Is that correct?

Yes, they must be the same server.

 

The only way to support MAC authentication in NPS is to create AD users with the MAC address as the username and password (which is not feasible in most environments).

http://technet.microsoft.com/en-us/library/dd197535%28WS.10%29.aspx

What are you trying to accomplish using MAC-auth and dot1X?

 

 

That is correct. To use MAC + 1x authentication with Microsoft NPS, both the MAC and the 1X accounts should be programmed on the NPS server instead of the IAP?s internal server.

Thanks,

Yan Liu
Product Manager
Aruba Instant
US: +1 650 996-3520
China: +86 136 2121 6844