Security

We have some specific SSIDs that use both:

'Pre-Shared Key'

'MAC Address filter'

To authenticate.  I found the follwing article;

https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-MAC-based-authentication-on-Aruba/ta-p/182430

.. but I still do nto see where to enter the device's MAC address information, in verison 8.3.03.  Can anyone provide some direction?

https://www.arubanetworks.com/techdocs/ArubaOS_83_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/AAA_Servers/Internal_Database.htm

I am not sure there is a GUI interface for this.

Hello cjoseph,

Can you exmpalin the web page that you provided?  I see an explanantin to create a user in the internal database; but I am not sure how that would be relate dto adding a MAC Addres.

In HP MSM760 there is a section in the Web UI for a MAC address list; but, that might need ot be done differently in Aruba 8.3.0.

You would add the mac address as the username and password into the local database.  It would correspond to step B on the page here:  https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-MAC-based-authentication-on-Aruba/ta-p/182430 but on the commandline, instead.

I apologize in advance if anyone's answers arenot obvious to me.  The above mentioned web page looks alittel differetn from verisn 8.3.0

I ended up navingating to: Mobility Master(web login) - Managed Network - GroupX - Configuraiton - Authentication - L2 Authenticaiton .  From here I clicked the '+' symbol to create a new MAC Authentication profile.  See screen shot.

I do nt see where to do the suggested steps on part 'b'.  I noavgatyed

Mobility Master(web login) - Managed Network - GroupX - Configuraiton - Auth Servers - I selected 'Internal'.  Where is the option to 'add user'?

Either verison 8.3 is different or I am not navigating to the correct area. let me lay it out here, maybe I need to create somehting esle that is 

not in place yet.  Who knows...  maybe I shold work in this part with a consultant?  But, in the interest of leanring, if I wanted to add a MAC filter list for a specific SSID called 'Wifi1'  and that SSID also has a pre-shared key for security how cna I do that? 

Should I use the CLI?

Yes, please use the CLI.

make the username and password the mac address

I think the process is diferent in version 8.3 I do nt see the optons that are mentioned.  I do nt see an option to add a user to an Auth server or 'Server' that is mentioned.

I think it is consultant time unless anyone can give more pecise information.  Please see screne shot.

There is no GUI to add users that I know of in 8.x.  You would have to do it via the commandline:

The default server group automatically points to the internal local database above.

Ok,

So we have established that the Web Interface is not usable for adding a device's via MAC Address. 

1.  We will need to create 'user list' instead of a MAC address list.

       a.  Define the user list to have a username/password of the MAC Address. 

       b.  We cannot create a "MAC Address List" to be used in Aruba 8.X for authentication to an SSID (WLAN).

       c.  Is the above correct, so far?

2.  If it is correct, and we wil lneed to use a locally stored 'user database' for authentication instead....   Can we created different user groups inside the local user databse?

       a.  If yes, can we assigned specific users to have access to a specific SSID (WLAN)? 

I am just worried how to specifically authenticate specific devices (unique MAC Addresses) Because we have 3 different SSIDs (defined in the current system) that have 3 seperate MAC Address lists get authenbticated via MAC Address and Pre-Shared key.

I am afraid that we may have to ask Aruba how would  you suggest that we authenticate these devices in your system because it is not the same as our older system.  Kindly let me know what you think about the 2 questions above.

I would suggest that you don't use mac authentication, period.  You should authenticate to a database that has usernames and passwords, like active directory, otherwise you will be constantly maintaining a mac address database, which is not recommended.  Mac addresses can easily be changed in the driver options in most laptops.

1.  There is only a single database in the controller for authentication.  You would have to create a user whose username and password is the mac address.  You would then create a mac authentication profile specifying the format of the mac address (delimeter, upper/lower) how you put it into the user database.

2.  That is the single database I am referring to above.  You can have mac addresses stored in different formats (upper, lower, delimeter) to correspond to the SSID you are authenticating from.  One SSID would use capitalized mac addresses (upper), one would use lower case mac addresses (lower), and one would use colons and upper case (upper and delimeter colon).  You would enter and maintain mac addresses in that database in those formats to determine who would be able to connect to what SSID.

Again, this is possible, but not recommended.

Ok,

It appears that the ARUBA wireless ssytem is different in some ways from out previouls Wireless system.  That sort of thing happends when changing systems.  We will eitehr need to:

1.  Create usernames instead of MAC Addresses.

2.  Ask Aruba support how do they recommend us to use their system to achieve the nusiness goals that we are looking for in this case. 

      a.  Perhaps there is a better way that Arbua can suggest, who knows?

I was hoping we cna create different user groups in the Aruba Controller; but, if not then tha tis what it is.  Let me ask if you wanted to 'Black-list' a device can that be done by MAC address or must we create a username as the MAC Address as well?

You can certainly blacklist a single user via mac address:  https://www.arubanetworks.com/techdocs/ArubaOS_83_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/New_WIP/Client_Blacklisting.htm

What is the user/mac password address format? 

a0:88:b4:c9:03:c0

a0-88-b4-c9-03-c0

a088b4c903c0

I got it to work via GUI in 8.4

Long story short the users/mac addresses appear to live on the internal db of the MM. Go to the MM Node/Group authentication->Internal->Users

Don't forget to clear/delete your user from the MC when troubleshooting this..

MC# aaa user delete mac x

I had all formats entered..i ran out of energy on which one it actually used. gl

The default mac authentication profile uses no delimter and lower case:

(ArubaMM-VA) *[mynode] #show aaa authentication mac default

MAC Authentication Profile "default"
------------------------------------
Parameter                                      Value
---------                                      -----
Delimiter                                      none
Case                                           lower
Max Authentication failures                    0
Reauthentication                               Disabled
Reauthentication Interval                      86400 sec
Use Server provided Reauthentication Interval  Disabled

@cjoseph sorry for replying to old thread. How many MAC addresses can be stored in Instant AP 515 and 365 for MAC Authentication ? i know it is not recommended to do it through IAP but i r