Controllerless Networks

I've been playing around with a lab and have a question about MAC auth on instants.

With the above setting MAC auth should be performed then 802.1X will be performed only if MAC auth fails.

When testing this out clients appear to be doing 802.1X auth before MAC auth according to my Clearpass access tracker.

Has anyone else tested this out?

Cheers

James

What exactly are you trying to achieve?

Are you trying to prevent certain clients from reaching the 802.1X-authentication stage?

If you just want 802.1X user and/or cert authenitcation with MAC authorization you can easily solve this in CPPM by using the Endpoint repository as an authorization source and creating the apporiate policies. From the 802.1X RADIUS request alone you will information about the endpoint (the client's MAC address will be in the IETF Calling-Station-ID).

Hi Arjan_k,

I'm just playing around with scenarios and was attempting to get MAC auth working by using the setting on the Instant webconsole.

It didn't seem to work as expected.

Thanks for your help though.

Cheers

James

jrwhitehead this is the same as when you would do MAC only authentication on a WPA2 enterprise profile in the controller, this isnt possible on itself. you can add MAC auth to an existing EAP-PEAP / ... but not only MAC auth.

I too would like to employ MAC authentication inline with 802.1x. The reason/scenario, putting a ( xbox. tv, blu-ray ) on the same network that our Students connect to using 802.1x for authentication. This would allow us to provide WiFi to non-802.1x enabled devices without standing up another SSID.

---

matthew.dillion@cnu.edu wrote:

I too would like to employ MAC authentication inline with 802.1x. The reason/scenario, putting a ( xbox. tv, blu-ray ) on the same network that our Students connect to using 802.1x for authentication. This would allow us to provide WiFi to non-802.1x enabled devices without standing up another SSID.

---

Matthew.Dillon, for any device to be able to work on a 802.1x SSID, they must support the encryption type.  Devices that are PSK only will not be able to join a 802.1x SSID, period.  They must use an SSID that supports PSK.

Understood, that is what I was expecting to hear. Thank you for the clarification.

---

@jrwhitehead wrote:

I've been playing around with a lab and have a question about MAC auth on instants.

 

 

With the above setting MAC auth should be performed then 802.1X will be performed only if MAC auth fails.

 

When testing this out clients appear to be doing 802.1X auth before MAC auth according to my Clearpass access tracker.

 

Has anyone else tested this out?

 

Cheers

James

---

jrwhitehead,

If mac authentication fail-thru is enabled, 802.1x authentication will be performed EVEN if mac auth fails:  http://www.arubanetworks.com/techdocs/Instant_40_WebHelp/InstantWebHelp.htm#UG_files/Authentication/MAC + 802.1X Authentication.htm