@baro wrote:
Hi everybody,
I have, among the others, a virtual-ap group with APs in bridged mode and WPA2 PSK auth... Which are the best settings for AAA Initial role, Mac authentication Default Role, 802.1X Authentication Default Role? (Now they are: guest, guest, authenticated... I want to deny everything to unauth clients, and permit everything to auth ones, and I have already experienced that a "deny all" as Initial role breaks the authentication process avoiding clients to establish WPA handshake)
I have Aruba MC6000 and AP135, OS 6.2.0.2
And, btw, is it possible in my deployment to have radius accounting (and interim as well) for that kind of clients? (aka, does controller send to APs radius accounting parameters to allow them to send records to my freeradius? - APs' IP already accepted as freeradius clients)
Thank you very much
Best regards
Andrea Barontini
For WPA/2 PSK clients, the initial role in the AAA profile is the role that a client gets when it attaches. The initial role is normally saved for Virtual APs where the clients do not authenticate when they attach (PSK networks or open networks).
You can only send radius accounting for clients that send radius traffic to a server. WPA2-PSK clients do NOT send radius traffic to a server unless you have a mac authentication profile attached to your aaa profile that would point to a radius server. That means, if you are not doing mac authentication, you also cannot send radius accounting information using a WPA2-PSK SSID.