Security

Hi,

I have configured 3 SSID on my controller. Authentication method is user credential + mac address

CPPM service configured as below:

         (Tips:Role  EQUALS [ User Authenticated])
AND  (Authorization:[Endpoints Repository]:Status  EQUALS  Known)

All "Known" 3 SSID mac will be in Endpoint repository. But i could not segrgate them. So i could not figure out how many "Known" mac in respective SSID.

Is there any alternate way to achieve mac authentication with respective group mac entry. Or how can i achieve the same with Endpoint Repository?

Thanks...

- You can use the computed Attribute :

 

- Add the SSID Attribute

 

- Create a Post Auth Enforcement Profile and Apply right under the "Known" Post Auth Enforcement PRofile in the Enforcement Policy

 

Then you could do a search in the endpoint database for the attribute "SSID" and the status "Known"

 

You could probably do this with another attribute in the endpoint database (other than Known Client).  The problem is how do you want to populate that entry? 

 

For example, add an attribute and assign to the Endpoint:

Administration --> Dictionaries --> Attributes

 

 

Then edit the endpoint with proper value

 

Change service to look for this attribute instead of "Known Client"

...or what Victor said  :-)

 

Victor's method gives you an automated way to update the attribute after someone joins the network.  If you need to add the attribute first in order to allow them to join, you'll need to add it manually as in my post.

 

That is the beauty of CPPM...very flexible and can do just about anything, so long as you know what you want.

By default any user want to get wireless access should deny  except allowed mac address.

I will manually add the mac address with perticular SSID group then only user will get access.

 

Regards,

Nikhil.

Hi,

 

where should i add respective ssid name in comfiguration?

Create a custom attribute.

 

Administration > Dictonaries > Attributes

Hi,

 

I hv created EMPL ssid & configured the suggested configuration as per my requirement.

I hv  known the mac id in Endpoint and i am able to get correct vlan as per vlan assigned to user.

But after then i again made the mac id as unknown but still user is able to connect. As per configuration user must Reject.

 

Please find attachment for more info.

 

Thanks....

Add a rule at the bottom that says:

Authorization:[Endpoints Respository] Status NOT_EQUALS Known [DENY ACCESS PROFILE]

Hi,

 

1) But Enforcement policy - Default role is - Deny access profile.

 

2) Shall i manually add attribute for endpoint known mac address- edit endpoint - attribute  i.e. EMPL

 

Were you not going to key the profiles off of another attribute based on SSID rather than "known" or "unknown"?  I thought that was the root of your initial post.

 

With regards to your test, doublecheck what service is being hit when you authenticate.  Your condition of Aruba-Essid-Name BELONGS_TO EMPL should read Aruba-Essid-Name EQUALS EMPL. Also, be sure the endpoint is still listed unknown in the DB.     Lastly, make sure you terminate the user session on the controller to ensure a fully authentication to CPPM is taking place.

 

 

Hi Clembo,

 

The authenticate service is "SYN" which i configured.

For Aruba-Essid-Name BELONGS_TO EMPL i will do the change - EQUALS EMPL but i dont think that will impact on expected result.

I hv removed past authenticated entry from controller and then change the mac id with unknow. And then test but user is authenticated.

If you are definitely hitting the SYN service, then the change to Aruba-Essid-Name likely won't change anything.

 

Please share your Access Tracker result for the successful authentication (despite being "unknown").

 

Screenshot of the tabs and/or "export" would be useful.

 

 

 

Hi,

 

I was testing configuration on mobile handset. But after check on Laptop & other Mobile handset that is working fine.

Previously Shared Configuration is working as expetected.  As per Victor suggested config.

 

Thanks all....