Security

Reply
Contributor I

MAC Authorization with 802.1x Wired or Wireless service

I would like to user MAC authorization with 802.1x service thus if both user (AD user ) and pc (MAC in white list NOT memeber of AD) authenticated , allow access.

- How can i use MAC as Authorization source with 802.1x Service ?

- Can i add MAC as username and password in local users and then use Local User Repository in authorization tab ?

- How would be the rules of enforcement policy , can be somthing like authorization AD, memeber of group X.

And

authorization Local User Repository, role name = Y

??

Guru Elite

Re: MAC Authorization with 802.1x Wired or Wireless service

Why use MAC address when it can be spoofed? EAP-TLS is recommended to solve these use cases.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: MAC Authorization with 802.1x Wired or Wireless service

Because PCs are not member of company domain.

Is above applicable ?

MVP
MVP

Re: MAC Authorization with 802.1x Wired or Wireless service

You could use the ClearPass Onboarding to achive this, but its licenced.

 

 

Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP - Was this post usefull, Kudos are welcome.
Contributor I

Re: MAC Authorization with 802.1x Wired or Wireless service

I am looking for a method other than on board.

can any one help ?

MVP
MVP

Re: MAC Authorization with 802.1x Wired or Wireless service

Hi Sultan77,

 

A device does not necessarily have to be AD joined to use EAP-TLS.

First of all, the CA-Root (and intermediate) certificate must be installed on the endpoint in order to validate the Clearpass Radius Server certificate.

In addition, a computer / user certificate must be installed on the endpoint of your own PKI infrastructure.

Clearpass must have the CA-Root (and intermediate) certificate with which the endpoint computer / user certificate is created in its trust store to be able to validate the computer / user certificate.

I think the biggest challenge is that it requires a high management effort. You must also be able to issue PKI certificates to "unknown" endpoint devices, which can be a security risk.

I wonder if other people have another solution in mind here.
Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP - Was this post usefull, Kudos are welcome.
Guru Elite

Re: MAC Authorization with 802.1x Wired or Wireless service

Configuring unmanaged devices for 802.1x can also be a chore, as well as maintaining lists of mac address to users.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor I

Re: MAC Authorization with 802.1x Wired or Wireless service

Hi CJoseph,

How can i use MAC authorization and 802.1x authentication ?

To allow specific MACs to specific resources.

MVP
MVP

Re: MAC Authorization with 802.1x Wired or Wireless service

You can create a extra attribute field in the endpoint database and use this endpoint database attribute in your enforcement policy.
Kind Regards Marcel Koedijk
HPE ASE Flexnetwork | ACMP | ACCP - Was this post usefull, Kudos are welcome.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: