Security

Hello, We want to use EAP-TLS and Mac filtering for IPAD devices. EAP-TLS is terminated on the controller now.But We have planned to use windows 2008 NPS instead of terminate it on controller For MAC filtering We have a user role ( each device's mac addresses are added ) that using for user derivation rules in VAP. Im confused Which roles such as initial role, 802.1x auth default role, Mac filtering default role, TLS Guest Role should I use, So clients have to pass both of EAP-TLS and mac filtering authentication to gain access. MAC filtering is not running. Client gain access always, while it's mac addess is in list or not.. Thanks,

---

@aytan wrote:
Hello, We want to use EAP-TLS and Mac filtering for IPAD devices. EAP-TLS is terminated on the controller now.But We have planned to use windows 2008 NPS instead of terminate it on controller For MAC filtering We have a user role ( each device's mac addresses are added ) that using for user derivation rules in VAP. Im confused Which roles such as initial role, 802.1x auth default role, Mac filtering default role, TLS Guest Role should I use, So clients have to pass both of EAP-TLS and mac filtering authentication to gain access. MAC filtering is not running. Client gain access always, while it's mac addess is in list or not.. Thanks,

---

Aytan,

 

If you configure a mac authentication profile in your AAA profile for that 802.1x SSID, devices will get the mac authentication default role if they pass 802.1x authentication AND mac authentication.  If they do NOT pass mac authentication, they will not be allowed to connect.

 

In the AAA profile if you enable "layer 2 failthrough", devices that pass 802.1x authentication, but fail mac authentication will still get the default 802.1x role in the AAA profile and be able to pass traffic.

 

 

Thanks cjoseph,

 

Please find my working on EAP-TLS and mac filtering config for IPAD in attach.
I could not success EAP-TLS with MAC filtering.
Result, If I enable TLS guest acces in 802.1x auth profile, aruba always is assigning user role that defined in TLS guest role.
If I disable TLS guest acces in 802.1x auth profile,Aruba always assigning user role that defined in 802.1x auth defult role to client.

Thanks,

 

Do you have a mac authentication profile configured on that AAA profile?

 

Please show the output of "show auth-tracebuf" when authentication is occuring.  Also configure debugging for that client and share the output.  The config is good, but we want to see the result.

 

EDIT:  Why do you want to layer mac authentication on top of TLS?  TLS is not secure enough?

 

Dear cjoseph,

Do you have a mac authentication profile configured on that AAA profile?

No..I have used "user derivation rule" in AAA profile.But it can not affect. How can I use "user derivation rule".?Do I have to enable "Mac filtering profile"  to use user derivation in AAA profile.
  

 

Please show the output of "show auth-tracebuf" when authentication is occuring.  Also configure debugging for that client and share the output.  The config is good, but we want to see the result.

 Please find it in attach.

 

 

EDIT:  Why do you want to layer mac authentication on top of TLS?  TLS is not secure enough?
I am trying to explain to our customer..We dont need mac filtering..EAP-TLS is enough.Because mac filtering is not a safe method..Client certificate can not export from IPAD. But MAC can be spoofed easily. But They want to use minimum  two auth method. If possible , you can send me more deep information about why mac filtering should not be used.They respect to your opinion more than me..So You are a Guru..    

 

Thanks,

Thank you.

 

User derivation rule is overridden by later authentication like 802.1x, so it will not come into play and should not be used with 802.1x--(Note:  Only the DHCP option user derivation rule works with 802.1x).  You need to configure mac authentication, instead.  You need to:

 

- Create a mac authentication profile

- Create a mac authentication server group (choose default)

- Apply the mac authentication profile and the mac authentication server group to the AAA profile

- Add a mac address to the internal database as a username and password in the same format as the mac authentication profile.

 

EAP-TLS is probably the strongest method of authentication available.  MAC authentication has never been a very strong method, because it can easily being spoofed.  It should NEVER count as a second factor.

 

Please read the "Building a Global Security Policy for wireless LANS" whitepaper here for more information that you can pass on to the customer: http://www.arubanetworks.com/pdf/technology/whitepapers/wp_Global_security.pdf

Hello Cjoseph,

Thanks for your information.They will use only EAP-TLS. :)

Yes!

Hi Colin,

 

I'm having a similar issue. I have EAP-TLS deployed for my 802.1x SSID, but the customer would like to allow a handfull of devices to authenticate via MAC address that are unable to complete EAP-TLS.

 

I created and applied both the MAC auth profile and MAC auth server group to my AAA profile. Added MAC address of client to internal DB. Enabled L2 auth fail through.

 

When I try to conenct with the client and fail EAP-TLS, it appears that MAC auth is not even attempted. I ran the 'show auth-tracebuf' command and it shows the client only attempts 802.1x I see server rejected from my RADIUS server and noting else... For trouble shooting, I removed the 802.1x auth profile and the 802.1x server group. 'show auth-tracebuf' displayed 'dot1x disabled' and MAC auth never completed.

 

Unfortunetly I don't have debugs, configs, or logs since this was done at a customer site. I will be returning to the customer and was hoping to have this squared away. I tested in my lab (using EAP-PEAP instead of TLS as my 802.1x auth) and expereienced the same results.

 

Any ideas?

 

Just for clarification I am not doing anything with User-Derivation rules.

 

Thanks in advance,

Scott

---

@snyer wrote:

Hi Colin,

 

I'm having a similar issue. I have EAP-TLS deployed for my 802.1x SSID, but the customer would like to allow a handfull of devices to authenticate via MAC address that are unable to complete EAP-TLS.

 

I created and applied both the MAC auth profile and MAC auth server group to my AAA profile. Added MAC address of client to internal DB. Enabled L2 auth fail through.

 

When I try to conenct with the client and fail EAP-TLS, it appears that MAC auth is not even attempted. I ran the 'show auth-tracebuf' command and it shows the client only attempts 802.1x I see server rejected from my RADIUS server and noting else... For trouble shooting, I removed the 802.1x auth profile and the 802.1x server group. 'show auth-tracebuf' displayed 'dot1x disabled' and MAC auth never completed.

 

Unfortunetly I don't have debugs, configs, or logs since this was done at a customer site. I will be returning to the customer and was hoping to have this squared away. I tested in my lab (using EAP-PEAP instead of TLS as my 802.1x auth) and expereienced the same results.

 

Any ideas?

 

Just for clarification I am not doing anything with User-Derivation rules.

 

Thanks in advance,

Scott

---

Devices that attempt to connect to an EAP-TLS network MUST be able to connect via EAP-TLS, otherwise traffic will not pass.  l2 passthrough only allow a device that fails mac auth to attempt to connect via EPA-TLS.  The exchange must take place successfully for a client to be let on an EAP-TLS network.  You cannot do what you are attempting.

 

Thanks for the clarification.

With that said, Colin, can you confirm if there is a way to have a dot1x SSID fail to MAC auth if the device is not dot1x compatible or must it be on a seperate SSID?

 

Thanks!

That cannot be done.

 

Thanks for your supprt,

Regards