Security

Hi,

 

When I do WPA-2 Ent authentication to a NPS (radius) server, with "Perform MAC authentication before 802.1X" enabled, the username i entered doesn't get passed to the radius server. It passed the hardware MAC address to the radius server instead.

 

Testing with either just the MAC or 802.1x authentication only works fine. But not when both are selected.

 

Is this normal or it cannot be done with the instant AP?

 

Thanks,

jeremy

is anyone have any solution for this ? 

 

THanks,

Pritesh

Where is the option "Perform Mac Authentication first" configured?  On the NPS server?  

this option is on the Aruba IAP 105  not on NPS server.  

if we create user for mac address ( username+password = system mac id )  as well then only it able to connect.

 

is there any way that mac address authentication will use internal database of Aruba IAP and pass username/password to radius ?

 

 

---

pritesh.patil@claricetechnologies.com wrote:

is there any way that mac address authentication will use internal database of Aruba IAP and pass username/password to radius ?

---

nope it seems you can't, the both are send to the same server. one of the limits of the IAP at this moment.

Can we use mac+ 802.1 authentication on Controller 7010? If yes, where's the option to put mac address? Would it be on radius server or internal database?

 

Thanks

For wireless or wired users?

For wireless. We would like to deploy radius+ mac authentication.

 

Thanks

MAC address can be used as an authorization attribute after 802.1X authentication. What authentication / policy server will you be using?

For wireless users. Would like to deploy radius + mac authentication on WLC 7010. But couldn't find sample configuration. Thanks

 

 

Hi at all,

I can´t say anything about the 7010 we have a 3200 controller.

We have different SSID´s with different authentication methods for different types of endpoints.

Similar for mobile devices (iPhone / iPad) we have Mac Auth + 802.1 X. So we have to enter the mac address into the internal database of the aruba controller (3200). If this happen the, now the user must authenticate his device with a active directory account over the nps.

You must do both on controller, can´t do one on the IAP and the other in the controller.

So you must configure under “ Security > Authentication > Servers > RADIUS Server” your radius server and under “Security > Authentication > Servers > Internal DB” you must insert the mac address.

Thanks for the responses. Actually, would like to use mac + 802.1x at the same SSID. If we put mac addresses under local database for mac authentication and 802.1x is authenticated with radius server whis is AD, what's the network authentication and encryption type shall I choose?

 

If we use only radius authentication, we choose WAP2 for authentication type and AES for encryption.

 

Thanks

 

 

This is not a recommended deployment. Static MAC lists on a controller are not scalable or easily manageable.

May I know what is the recommended deployment for radius + mac authentication. We're using server 2012 as a NPS and authentication method is EAP(PEAP).

 

Thanks

Ei are you authenticating domain machines?

yes, right. Only for domain users. Thanks

Domain users on domain computers?

yes, domain users on domain computers.

The best thing you can do with NPS is to:

 

- Configure your Wireless domain clients to authenticate as a computer only (under advanced> 802.1x tab)

- Configure NPS to only authenticate devices from the "Domain Computers" group.

 

The machine itself with authenticate to the wireless, but the user will still be required to login to to the machine to do anything.

 

Other radius servers like clearpass can check to see if a user and a computer authenticated successfully before a device can pass traffic, but NPS is not as flexible.

Screenshot of the client configuration:

 

Hi Colin,

 

Thanks for the advice. Actually, we are currently using 802.1x authentication method and it's working fine. I just need advice 802.1x + mac authentication would be working with NPS server for futher deployment by using same SSID for domain machines. Also would like to know where we need to put mac address on radius server or on local database? 

 

 

When configuring 802.1x and mac authentication, the mac address must be created as a user in the radius server.  The username and password would be the mac address in AD (no delimiter).

 

 

Ok, thanks. I'll try.