Security

I am trying to implement MAC authentication on an Aruba OS switch which connects to a wireless AP.

I want the wireless AP to undergo MAC AUTH and if it fails, then the enforcment action I want to happen is to disable the switch port entirely.

This is so the wireless AP's clients also will not gain access to the network.

The standard [Deny Accessd Profile] will only block access for the wireless AP but not for its wireless clients. I want every wireless client to be blocked as well.

How can I achieve this?

Specifically, what enforcement profile do I need?

Thanks for your prompt reply.

What about enforcing a VLAN change?

How change you enforce a VLAN change for the entire switch port?

Won't bouncing the switchport cancel the dynamically modified VLAN ?

From the following information captured from the switch it appears the vlan enforcement only applies to the specific device, and not to the switch port itself. You can see the first device is in VLAN 409 and the second device in 700.

ARUBATESTSW01(eth-1)# sh port-acc cli

Port Access Client Status

Port Client Name MAC Address IP Address User Role Type VLAN
----- ------------- ----------------- --------------- ----------------- ----- -------------------------------------------------------
1 host/L6114... 705a0f-83503c 10.40.129.109 8021X 409, 209
1 203a0782af31 203a07-82af31 n/a MAC 701, 700

You should be able to do an CLI enforcement profile and enabling ClearPass to login and disable the port in a SSH session. This CLI enforcement is not officially (as far as i know) on ArubaOS switches supported, but i have already successfully implemented it in conjunction with 2930F version 16.08.XXXX.