Security

Hello,

I am currently ussing WPA2 Enterprise with Mac Address Authentication and Microsoft NPS 2008 for Radius for one of our mobile device SSID's.

The problem that we've recently discovered is that you can sniff a MAC address from an Aruba AP and use any connected MAC address to use as the username/password and gain full access to the SSID as long as that Mac Address obiviously already exists as a valid account in Active Directory.

Is there a way I can disable MAC Addresses from being used as the username and Password on a SSID that is doing WPA 2 Enterprise with Mac Authentication?

Thanks.

So to understand exactly what you are doing:

• You have both MAC Authentiction and 802.1X enabled on the SSID?    
• NPS is used as the server group for both.
• The devices use their MAC to pass MAC authentication (obviously)....but b/c you are using AD for the database....
• Someone can find the MAC and basically use that as username/password on any device to gain access

If this is true, I'd suggest you create two NPS policies, one for MAC Auth and one for 802.1X.   You can change the conditions of the policies to match a user group for example (one for MACs; one not).   In order to match the proper policy, you can consider creating two Radius server entries for NPS and server groups.   The Radius server object would be the the same; but you can differentiate them (and thus the matching NPS policy) by setting the NAS ID field.  For example, one could have "NPS-dot1x" and one could have "NPS-MAC".  Then in the corresponding NPS policies, make this a condition to match to ensure you hit the proper policy for MAC auth vs. 802.1X.

Clembo, thank you very much for your reply.

You've identified my issue perfectly, that is exactly the case.

I already have two NPS policies, one for 802.1x and another for Mac Address Authentication.

So if I add a NAS Identifier under the Condition of "NPS-MAC" on my Mac Auth policy, this will work? And "NPS-dotx" for my 802.1x policy? That's all I need to do?

If this works, you need a raise :).

You'll need to make the condition change on NPS, but also modify some things on the controller.  Basically creating 2 server entries and 2 server groups.  The difference being the nas-identifier field that is applied (to match your NPS policy).   The names and nas-id are not specific and can be whatever you want; so long as they match up.

aaa authentication-server radius "NPS-WPA2-ENT"
  nas-identifier "NPS-dot1x"

aaa authentication-server radius "NPS-MAC"
  nas-identifier "NPS-MAC

aaa server-group "WPA2-ENT"

  auth-server "NPS-WPA2-ENT"

aaa server-group "MAC-AUTH"

  auth-server "NPS-MAC"

aaa profile "Your-AAA"
  mac-server-group "MAC-AUTH"

  dot1x-server-group "WPA2-ENT"

I have existing aaa authentication-server radius, aaa server-group and aaa profile configuration.

So I will need to change the existing SSID's to use multiple Radius Server/AAA configs now I'm taking it?

Existing SSID will use same AAA profile, but with a new server group, new radius server entry, and a modified radius server entry.  

For example:

AAA Profile (existing)

- 802.1X Authentication Group

  - Server Group (existing)

    - NPS Server (existing.....but modified with a new NAS-ID)

-MAC Authentication Group

  - NEW Server Group

    - NEW Server (same IP, same shared secret, but different NAS-ID)

Thanks Clembo, I'll probably contact support but reference this information. Greatly appreciated!

no problem; let us know how it works out.