Occasional Contributor I

Mac Authentification and WPA2



We have two aruba 3400 controler with firmware.

we want associate authentication wpa2 and mac filtering.

I followed the instructions in Chapter 16 of the aruba User Guide and recommendations on this post

But mac filtering isn't working!!!

Can you help me?



Aruba Employee

Re: Mac Authentification and WPA2

What part is not working?  Chapter 19 of the 6.1 users guide is the MAC auth chapter. 


Short version:


Create a server group that contains the RADIUS server where your MAC addresses are stored

Assign that server group to the MAC auth profile of your AAA profile

Set the MAC auth default role in your AAA profile


That should do it. 


You might also have to edit the Authentication >  L2 Authentication > MAC Authentication profile, if you use a delimiter in the MAC addresses when you input them (the default is no delimiter).

Occasional Contributor I

Re: Mac Authentification and WPA2


Thanks for your reply.

it's not possible to use internal database?

Aruba Employee

Re: Mac Authentification and WPA2

Yes, it is.  Whe you create the server group, add the "internal" server.  Then, you can add the MAC addresses to the internal db.  Just make sure you enter them lowercase, without any delimiter (or change the default L2 MAC auth profile to match your delimeter).

Occasional Contributor I

Re: Mac Authentification and WPA2


Okay, we made this but that's don't work...We don't understand why!

Aruba Employee

Re: Mac Authentification and WPA2

In you AAA profile, do you have "L2 Authentication Fail Through" checked?  If so, the dot1x auth will be attempted even if MAC auth fails.

Occasional Contributor I

Re: Mac Authentification and WPA2


No, "L2 Authentication Fail Through" isn't checked...

Re: Mac Authentification and WPA2

Just  a question

Why you want to use a such a weak authentication method as mac filtering?


it got lot of disasvantage

Aruba does not recomend it as far i read it in a VRD i think...


Now you should take in mind a few things


1-You got a limit of 4000 mac addresses on the internal database

2-When you want to manage it  let say you will need to document it because you willl not know what mac address belongs to which pc later...



If you got Active directory and this is an enterprise enviroment use WPA2 enterprise with at least EAP PEAP

You just need a NPS server and a cert... if you got an internal cert authority well you just need one cert for that server with machine template...


Anyways what is hte enviroment in which you willl use this mac address filtering maybe we can help you with a better solution than mac address filtering.





Product Manager - Aruba Networks
Alternetworks Corp
Aruba Employee

Re: Mac Authentification and WPA2

Since it seems to be configured right, we will need more details to help out.  Whats not working?  How does the client fail (or does it get on when it is not supposed to)?  Turn on debugging (logging level debug user-debug xx:xx:xx:xx:xx:xx) for the MAC address having trouble, then connect (or try to connect).  Do "show log user-debug all" and see if you can find the source of the issue in the log messages.  Also, do "show auth-tracebuf" after the problem occurs and see if you see failed auths going to the internal DB.


If all of that looks OK, you might want to open a TAC case so they can screen share with you and see what's going on.

Occasional Contributor I

Re: Mac Authentification and WPA2


Yes, it's configured right.

I found the problem, we need to wait 30minutes before the mac entry take effect...It's very strange!


Thanks for your help :)

Search Airheads
Showing results for 
Search instead for 
Did you mean: