Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Mac Based Auth

This thread has been viewed 3 times

  • 1.  Mac Based Auth

    Posted Dec 05, 2012 09:04 AM

    I am using ArubaOS 6.1.3.1

    I have a wpa2 SSID with radius auth to AD.

    I have a small area in my coverage zone that I want to have about 10 ipads be able to access a certain web site on our network and no one else on the SSID. the Ipads login with a generic ID so I cant do it based on roles.

     

    Whats the best way to aproach this mac auth and create a new set of roles with this site included? new SSID?

     

    TIA for any help

     

     

     

     



  • 2.  RE: Mac Based Auth

    Posted Dec 05, 2012 02:02 PM

    if u want to do dot1x and also mac based role change, you can use UDR (userderivation rules). Or if you are creating new SSID for the IPADs you can do the Mac authentication.



  • 3.  RE: Mac Based Auth

    Posted Dec 05, 2012 02:09 PM

    Where is your URL filtering done? Controller or firewall? Without knoledge, I can see a few methods - 

     

    1. You can create a login/password for those particular ipads and drop them into a different role. The problem is if that username/password is distributed.

     

    2. As Vinod mentioned, you can do a mac-address bypass mode and set the role to "authenticated" or to another user-role based on the mac auth. Watch out because once folks get word of this, it may become an admin nightmare.

     

    3. Create another role and use user-based derivation to drop them into a different role. Again, if the info gets out, users will connect to this SSID to gain access so another form of auth such as mac address bypass or info passed from your RADIUS server may be required.