Controllerless Networks

Hello,

Anybody who can tell me what this feature can be used for ?  can't seem to find any documentation descriping this feature.  

I do not have a Clearpass but i'm running Packetfence.

Hi,

It is obsolutely possible to configure both MAC and dot1x together. even possible to configure MAC with internal and dot1x with external radius.

the trick is post auth role of MAC authentication, change it to logon role so that it can allow required traffic otherwise if it is a guest role you may issues.

in the bellow output you can see that I have enabled both MAC and dot1x auth in the AAA profile and auth trace buff you can see both are success full.

for your Ref :

(Aruba3200) #show aaa profile MyAAA

AAA Profile "MyAAA"
-------------------
Parameter Value
--------- -----
Initial role logon
MAC Authentication Profile MyMAC
MAC Authentication Default Role logon
MAC Authentication Server Group internal
802.1X Authentication Profile Mydot1x
802.1X Authentication Default Role authenticated
802.1X Authentication Server Group MyServer
Download Role from CPPM Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled

Dec 4 19:26:03 station-down * 40:30:04:83:fa:21 24:de:c6:b9:62:18 - -
Dec 4 19:26:20 mac-auth-req -> 40:30:04:83:fa:21 24:de:c6:b9:62:18 - -
Dec 4 19:26:20 mac-auth-success <- 40:30:04:83:fa:21 24:de:c6:b9:62:18 - -
Dec 4 19:26:20 station-up * 40:30:04:83:fa:21 24:de:c6:b9:62:18 - - wpa2 aes
Dec 4 19:26:20 station-term-start * 40:30:04:83:fa:21 24:de:c6:b9:62:18 10 -
Dec 4 19:26:25 client-finish -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - -
Dec 4 19:26:25 server-finish <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 61
Dec 4 19:26:25 server-finish-ack -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - -
Dec 4 19:26:25 inner-eap-id-req <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 35
Dec 4 19:26:25 inner-eap-id-resp -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - - jack
Dec 4 19:26:25 eap-mschap-chlg <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 67
Dec 4 19:26:25 eap-mschap-response -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x 8 49
Dec 4 19:26:25 mschap-request -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x 8 - jack
Dec 4 19:26:25 mschap-response <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Myradius - - jack
Dec 4 19:26:25 eap-mschap-success <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 83
Dec 4 19:26:25 eap-mschap-success-ack-> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - -
Dec 4 19:26:25 eap-tlv-rslt-success <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 43
Dec 4 19:26:25 eap-tlv-rslt-success -> 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 2
Dec 4 19:26:25 eap-success <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 4
Dec 4 19:26:25 wpa2-key1 <- 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 117
Dec 4 19:26:25 wpa2-key2 -> 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 117
Dec 4 19:26:25 wpa2-key3 <- 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 151
Dec 4 19:26:25 wpa2-key4 -> 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 95

Please feel free for any further query on this.

Thank you for your reply.  unfortunately i'm running Aruba instant so i can't use those commands :(

this does seem to describe it very well for Instant.

http://www.arubanetworks.com/techdocs/InstantMobile/Advanced/Content/MAC%20+%20802.1X%20Authentication.htm

[edit] for a second i thought this would allow you to do mac auth only if dot1x fails, a feature that doesn't work on the controller. but looking at "The mac-auth-only role is primarily used for wired clients." i assume it wont work on Instant either for wireless.