Security

Hello,

I do have to setup a WLAN where only registered MAC-addresses should be able to login.

1.

For testing purposes I created on a 7005 w/ 8.6.0.6 a new WLAN (called "MAC") with security:personal WPA2 and Mac Authentication enabled.

2.

Then I went to Authentication -> L2-Authentication and created a new authentication Profile (delimeter:colon, case:lower, max auth. failures:0)

3

Then I went to Auth server -> internal -> internal and added a new user with username:password = xx:xx:xx...:xx:xx:xx... with role "default-via-role" and clicked "enabled".

4

Now I went to AAA profiles -> AAA  and found a new profile called "Mac_aaa_prof" The only thing here I touched was to click on "MAC Authentication" and to choose as MAC Authentication Profile the profile I created in Step 2.

This is the way I do understand the advice here

But unfortunately every client with knowledge of the WPA2-PSK can login to this WLAN.

My guess is that I am missing something in step 4.

Are there any ideas...?

Thanks!

That mac auth profile needs to be configure in the AAA profile that you are using to allow WPA2 users on with.  If you get on the commandline and type "show user-table" the profile in the profile column is the AAA profile that you need to add the mac authentication profile to.

Hello,

I amtesting with a new device which was never before used in that WLAN.

It can enter the given WLAN "MAC" as soon as I type in the WPA2 passphrase gets an IP and everything is working - but it should not be allowed to.

show user-table gives me for this device:

Profile=MAC_aaa_prof

_________________________________

show aaa profile MAC_aaa_prof:

AAA Profile "MAC_aaa_prof"

--------------------------

Parameter                                               Value

---------                                               -----

Initial role                                            default-via-role

MAC Authentication Profile                              MAC

MAC Authentication Default Role                         guest

MAC Authentication Server Group                         internal

802.1X Authentication Profile                           MAC_dot1_aut

802.1X Authentication Default Role                      guest

802.1X Authentication Server Group                      N/A

Download Role from CPPM                                 Disabled

Set username from dhcp option 12                        Disabled

L2 Authentication Fail Through                          Disabled

Multiple Server Accounting                              Disabled

User idle timeout                                       N/A

Max IPv4 for wireless user                              2

RADIUS Accounting Server Group                          N/A

RADIUS Roaming Accounting                               Disabled

RADIUS Interim Accounting                               Disabled

RADIUS Acct-Session-Id In Access-Request                Disabled

XML API server                                          N/A

RFC 3576 server                                         N/A

User derivation rules                                   N/A

Wired to Wireless Roaming                               Enabled

Reauthenticate wired user on VLAN change                Disabled

Device Type Classification                              Enabled

Enforce DHCP                                            Disabled

PAN Firewall Integration                                Disabled

Open SSID radius accounting                             Disabled

Apply ageout mechanism on bridge mode wireless clients  Disabled

___________________________________

show profile-list aaa authentication mac:

MAC Authentication Profile List

-------------------------------

Name             References  Profile Status

----             ----------  --------------

default          0           

MAC              1           

What is missing...?

No one any idea?

In this posting is written by @cjoseph 

"For a client to connect successfully on an 802.1x network with encryption it needs a username or password. That is not optional. What is optional is passing mac authentication."

So how do I make MAC authentication mandatory instead of optional?

The initial role in your AAA profile is default-via-role.  That means devices that enter without passing authentication will have that role.  You need to change it to something restrictive, so that if a device passes PSK, but fails authentication, the initial role will restrict them.  Your mac authentication default role should be the role that your users obtain after passing mac authentication and should be permissive.

@cjoseph Thank you, I can try this in 20h when I am hands on to the controller.

Is there any good documentation about these "roles" and which is best suited for what purpose ? I must admit that I have never been involved...

I still need help with this.

When I assign a role like "guest" still everybody can login into the WLAN and MAC addresses are not filtered.

What kind of role should I apply to this specific WLAN?