Security, WIDS/WIPS and Aruba ECS

Guru Elite

"Real' MAC authentication for users

A user had a legacy WLAN with two networks: a User network and a Guest network. They are both netreg-type networks that sends the SSID that the user connects to in addition to the mac address of the user back to a radius server. If a user's mac address is not in netreg and enters the "user" network, the DHCP server would not give the user an IP address. Correspondingly, if the user is in netreg and tries to connect to the guest network, he would also NOT get an ip address.

The problem became that users would get 169.x.x.x addresses and stay associated to the wrong WLAN and call tech support frequently. Other users would just steal or reuse IP addresses from previous sessions and be able to get on the wrong networks.

To solve these issues, the user configured the Aruba Controller to do MAC authentication directly to the radius server with blacklisting after 1 failure on the AAA profile. He also configured the blacklist on the Virtual-AP to last 5 seconds, which is enough time for the user's WLAN card to keep him off the wrong SSID and "try again", without calling tech support. He killed two birds with one stone in that the user was not "stuck" on the wrong SSID because the blacklist would keep him off. in addition, since the AAA profile's initial role was "deny" all, he could not pass any traffic or configure a static ip address on that.

Of course, this will not stop determined users who spoof their mac addresses, but there is hope: the organization just layered 802.1x on top of MAC authentication.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN
Search Airheads
Showing results for 
Search instead for 
Did you mean: