Security

Hi All

I know there are a lot of topic on this issue but I cant seem to find my answer. Hoping you can help

I want to setup a restricted SSID for some enrolling purpose using MAC Authentication (through Aruba Controller) so personal devices cant join this SSID

I created user in internal DB with MAC address for username and password

I created SSID with 802.1x authentication with WPA2 Enterprise encryption and authentication server is Internal

AAA profile pointing to correct MAC Authentication profile and server group (see pic)

But when I join the SSID with my ipad (with MAC addy already in Internal DB), it keeps asking for username and password? Should just recognise my MAC. So I'm not sure what's missing. Thankyou in advance

I recommend that you take a look at this post and see if this is what you are trying to accomplish.

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/L2-Fail-Through-Deep-Dive/td-p/40062

Yes it is what I'm trying to achieve, but MAC Auth failed and username and password keeps coming up. Is it because MAC auth fails or username and password will come up regardless?

I just want device to connect to SSID without having to input anything. Aruba should check for MAC address in internal DB for authentication. What is your suggestion?

Regards

Tuan

Couple things

1. Im not an expert on the controllers (Im a Clearpass SE) :) I will also let some of the Wireless SEs chime in...

2. You should see in the logs if the client tried MAC auth first and then failed

3. Make sure you have the L2 fail over enabled

I've also checked L2 Auth Fail through but didnt help, it shoud just work even without L2 Auth Fail through checked, if MAC authenticate properly (which it doesnt). Am I on the right track here?

Mac Auth :

- Did you put the right format for MAC Address in internal db (semicolon, none)?

802.1X Auth :

- If you enabled 1X auth, user must authenticate his/her account (username and password) against server group that stated there. did you have this setup ? (it is different then MAC Auth)

Try this :

- Create username and password in internaldb (not Mac Address)

- Create "mac" account in internaldb

- Check/select "termination" on 1X profile

- Check your wifi

Thankyou for your reply

Yes the MAC Authentication profile matching the format used in internalDB (semicolon, lower)

Yes I have 802.1x Auth enabled, but I thought I can use this as a fall back when MAC Auth fails. So thats not the case? How else can I setup MAC authentication for ipads without users have to input anything? Other options (apart from 802.1x authentication) are strong encryption with shared key, weak encryption with WEP key and no authentication. I dont want to use any key but need users to authenticate through MAC address

Regards

Tuan

I found the problem, the ipad I was working on for some reasons wouldnt authenticate the mac address in internal DB no matter how much I tried. I changed to another ipad and wah lah, mac authenticated and user role assigned perfectly

I also got rid of 802.1x auth as it is no neccessary. So I have an open SSID with mac authentication with restricted access.

Thankyou for all your time and effort gents

Regards

Tuan