Security

Reply

OS 8.3.0.5 WLAN with MAC Auth Question

Hello,

    I am attempting to set up a new SSID with MAC auth against the controller's internal database, as there will only be a handful of devices allowed on this SSID.  I have the WLAN set up on the controller, as well as a MAC auth profile, and a new user profile to be given to these users upon authentication.   The issue I am running into is that the internal database can only be added to at the MM level, but the new role I created is at the managed network level, so I am not able to select that role as the one to be given to the users in the internal db. 

 

Hopefully this makes sense, and I am just missing something really minor here that's preventing me from completing this.

 

Thanks in advance

 

 

Guru Elite

Re: OS 8.3.0.5 WLAN with MAC Auth Question

If your users will only have one role upon successful mac auth, you can just change the default mac authentication role to that role in the AAA profile.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars

Re: OS 8.3.0.5 WLAN with MAC Auth Question

Thanks for the reply.   I actually did do that.   The issue is that I am trying to give the users a MAC auth role of "guest-printing", which I created on the controller level.   The internal db, however, can only have users added to it at the MM level, where that new role I created doesn't exist, so the users in the db get handed the role of "guest"

 

Hopefully I am explaining this well enough

Guru Elite

Re: OS 8.3.0.5 WLAN with MAC Auth Question

I think I understand.

 

Create a new server group and then put the internal database in it.  Make that new server group your mac authentication server group in the AAA profile.

 

What is happening to you is that the default and internal server groups have this rule:

 

 role value-of String set role

 

Which means, when users authenticate to that server group, return the role of the user in the internal database, which at the highest level will default to guest when you add users in the local database.  If you authenticate to your new server group, there will be no rule requiring that the role of the user be returned, which means the users who mac authenticate should then take the default mac authentication role.

 

I hope that makes sense and works for you.

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: OS 8.3.0.5 WLAN with MAC Auth Question

It seems GUI issue to me.

You can add the MAC address via CLI on MM.

 

(MM) [mm] #local-userdb add username 112233aabbcc password 112233aabbcc role guest-printing

Guru Elite

Re: OS 8.3.0.5 WLAN with MAC Auth Question

You can add it, but type "show local-userdb" to see what role it gets.  It will not add a role that is not available at that context.  It will revert to guest.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: