Security

Reply
Highlighted
Contributor II

MAC address based auth is ignored

Hello,

I do have to setup a WLAN where only registered MAC-addresses should be able to login.

 

1.

For testing purposes I created on a 7005 w/ 8.6.0.6 a new WLAN (called "MAC") with security:personal WPA2 and Mac Authentication enabled.

 

2.

Then I went to Authentication -> L2-Authentication and created a new authentication Profile (delimeter:colon, case:lower, max auth. failures:0)

 

3

Then I went to Auth server -> internal -> internal and added a new user with username:password = xx:xx:xx...:xx:xx:xx... with role "default-via-role" and clicked "enabled".

 

4

Now I went to AAA profiles -> AAA  and found a new profile called "Mac_aaa_prof" The only thing here I touched was to click on "MAC Authentication" and to choose as MAC Authentication Profile the profile I created in Step 2.

 

This is the way I do understand the advice here

 

But unfortunately every client with knowledge of the WPA2-PSK can login to this WLAN.

 

My guess is that I am missing something in step 4.

 

Are there any ideas...?

 

Thanks!

 

 

Highlighted
Guru Elite

Re: MAC address based auth is ignored

That mac auth profile needs to be configure in the AAA profile that you are using to allow WPA2 users on with.  If you get on the commandline and type "show user-table" the profile in the profile column is the AAA profile that you need to add the mac authentication profile to.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor II

Re: MAC address based auth is ignored

Hello,

I amtesting with a new device which was never before used in that WLAN.

It can enter the given WLAN "MAC" as soon as I type in the WPA2 passphrase gets an IP and everything is working - but it should not be allowed to.

 

show user-table gives me for this device:

Profile=MAC_aaa_prof

 

 

_________________________________

 

show aaa profile MAC_aaa_prof:

 

AAA Profile "MAC_aaa_prof"

--------------------------

Parameter                                               Value

---------                                               -----

Initial role                                            default-via-role

MAC Authentication Profile                              MAC

MAC Authentication Default Role                         guest

MAC Authentication Server Group                         internal

802.1X Authentication Profile                           MAC_dot1_aut

802.1X Authentication Default Role                      guest

802.1X Authentication Server Group                      N/A

Download Role from CPPM                                 Disabled

Set username from dhcp option 12                        Disabled

L2 Authentication Fail Through                          Disabled

Multiple Server Accounting                              Disabled

User idle timeout                                       N/A

Max IPv4 for wireless user                              2

RADIUS Accounting Server Group                          N/A

RADIUS Roaming Accounting                               Disabled

RADIUS Interim Accounting                               Disabled

RADIUS Acct-Session-Id In Access-Request                Disabled

XML API server                                          N/A

RFC 3576 server                                         N/A

User derivation rules                                   N/A

Wired to Wireless Roaming                               Enabled

Reauthenticate wired user on VLAN change                Disabled

Device Type Classification                              Enabled

Enforce DHCP                                            Disabled

PAN Firewall Integration                                Disabled

Open SSID radius accounting                             Disabled

Apply ageout mechanism on bridge mode wireless clients  Disabled

___________________________________

 

show profile-list aaa authentication mac:

MAC Authentication Profile List

-------------------------------

Name             References  Profile Status

----             ----------  --------------

default          0           

MAC              1           

 

 

What is missing...?

 

 

Highlighted
Contributor II

Re: MAC address based auth is ignored

No one any idea?

 

In this posting is written by @cjoseph 

"For a client to connect successfully on an 802.1x network with encryption it needs a username or password. That is not optional. What is optional is passing mac authentication."

 

So how do I make MAC authentication mandatory instead of optional?

Highlighted
Guru Elite

Re: MAC address based auth is ignored

The initial role in your AAA profile is default-via-role.  That means devices that enter without passing authentication will have that role.  You need to change it to something restrictive, so that if a device passes PSK, but fails authentication, the initial role will restrict them.  Your mac authentication default role should be the role that your users obtain after passing mac authentication and should be permissive.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Contributor II

Re: MAC address based auth is ignored

@cjoseph Thank you, I can try this in 20h when I am hands on to the controller.

 

Is there any good documentation about these "roles" and which is best suited for what purpose ? I must admit that I have never been involved...

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: