Security

Hi,

 

We have two aruba 3400 controler with 6.1.3.4 firmware.

we want associate authentication wpa2 and mac filtering.

I followed the instructions in Chapter 16 of the aruba User Guide and recommendations on this post

But mac filtering isn't working!!!

Can you help me?

 

Regards,

#3400

What part is not working?  Chapter 19 of the 6.1 users guide is the MAC auth chapter. 

 

Short version:

 

Create a server group that contains the RADIUS server where your MAC addresses are stored

Assign that server group to the MAC auth profile of your AAA profile

Set the MAC auth default role in your AAA profile

 

That should do it. 

 

You might also have to edit the Authentication >  L2 Authentication > MAC Authentication profile, if you use a delimiter in the MAC addresses when you input them (the default is no delimiter).

 

Thanks for your reply.

it's not possible to use internal database?

Yes, it is.  Whe you create the server group, add the "internal" server.  Then, you can add the MAC addresses to the internal db.  Just make sure you enter them lowercase, without any delimiter (or change the default L2 MAC auth profile to match your delimeter).

 

Okay, we made this but that's don't work...We don't understand why!

In you AAA profile, do you have "L2 Authentication Fail Through" checked?  If so, the dot1x auth will be attempted even if MAC auth fails.

 

No, "L2 Authentication Fail Through" isn't checked...

Just  a question

Why you want to use a such a weak authentication method as mac filtering?

 

it got lot of disasvantage

Aruba does not recomend it as far i read it in a VRD i think...

 

Now you should take in mind a few things

 

1-You got a limit of 4000 mac addresses on the internal database

2-When you want to manage it  let say you will need to document it because you willl not know what mac address belongs to which pc later...

 

 

If you got Active directory and this is an enterprise enviroment use WPA2 enterprise with at least EAP PEAP

You just need a NPS server and a cert... if you got an internal cert authority well you just need one cert for that server with machine template...

 

Anyways what is hte enviroment in which you willl use this mac address filtering maybe we can help you with a better solution than mac address filtering.

 

 

Cheers

Carlos

Since it seems to be configured right, we will need more details to help out.  Whats not working?  How does the client fail (or does it get on when it is not supposed to)?  Turn on debugging (logging level debug user-debug xx:xx:xx:xx:xx:xx) for the MAC address having trouble, then connect (or try to connect).  Do "show log user-debug all" and see if you can find the source of the issue in the log messages.  Also, do "show auth-tracebuf" after the problem occurs and see if you see failed auths going to the internal DB.

 

If all of that looks OK, you might want to open a TAC case so they can screen share with you and see what's going on.

 

Yes, it's configured right.

I found the problem, we need to wait 30minutes before the mac entry take effect...It's very strange!

 

Thanks for your help :)

Hi,

 

I was going to start a new topic but thought id just add to this one as its very simular.

 

I would like to have 2 layers of authentication, 1 WPA2 passthrase as wel as MAC address. So if a client connects to the wireless network they need to enter the key as well as pass the MAC address authantication as well. I have spent alot of time on this and not sure what Iam doing wrong.

 

I have setup MAC Auth via LDAP to our AD server where i enter the username and password as the MAC add. in the AD. I have tested the LDAP via aaa test and its says it authenticates successfully. I have set all the AAA profiles and server correctly i think. 

 

Whats happens is if you connect and enter the correct network key it allows connection without authenticating the MAC address. Have included some screen shots below. Hope someone can point me in the right direction as Its taking up alot of my time.

 

Thanks in advance :)

You don't have L2 faithrough enabled on the AAA profile, do you?

 

cjoseph Ive had a look and sure i checked this but now cant find that tick box :/ can you tell me which area that is in?

It would be in the AAA profile, but only in ArubaOS 6.x and above.....  What version of ArubaOS is this?

 

To test, you should first point the mac authentication server group to "default" and enter the mac addresses into the local user database to rule out issues with the LDAP server, if you have not done that already.

 

 

oh heres the one ive checked (see attachement), is that the one you mean? as its been unticked all along.

No it is in the AAA profile at the top level.

 

 

Its a 3200 controller with ArubaOS 3.4.2.3

 

Ive been at this for a week now anf thought id tried the internal DB but will try again to satisfy myself. And i cant see where else Fail through is refernced in the aaa profile.

 

Thanks heaps for your help btw

In 3.4.2.3 if I remember, if a device is a WPA2 device it gets the Initial role in the AAA profile.  If a device THEN also passes mac authentication, it gets the default mac authentication role in the AAA profile.  There is no way to STOP a device that does not pass mac authentication, but you can give it a limited initial role if it does NOT.

 

Well thats silly. I dont know enough to be able to configure the server rules to give limted access. 

 

I would like to update our controller but once again im not savvy enough with it to feel confident in doing that.

If you need ideas for a total solution, please open up a separate thread detailing what you want to accomplish.

 

Users frequently post only parts of their issue and they do not receive the best advice, because the whole problem is not addressed.  Part of your issue is that you are using dated code that might not help your problem the way you need it to.  The other part is that we need to take your whole deployment into consideration so that we do not make things worse.

 

No worries, thanks heaps for your help :)

 

no you dont have to wait... that must be a bug or something... igot that configured on a client wbich was a requirement of them even if i mentioned them all the disasvantage and they dont need to wait....now they are changing to anothwr system that i told them because the administrative part of mac address filtering is getting heavy as a told them in the beggining... anyways i think you should open a support ticket because that should not happen