Security

I recently inherited an Aruba 6000 system (ver 6.1.3.6) that was set up by a predecessor, naturally without documentation whatsoever.

We have a hidden SSID for Mac authentication of certain devices to bypass our captive portal, and the internal database has a number of entries in it. Unfortunately, our setup differs slightly from what I've been able to glean from the manual pages and various KBs that I've come across. The main issue seems to be that, well, it is allowing anyone and everyone to connect.

Also, they had the database set up so that the usernames were "friendly names" (i.e. 'Bob's laptop') and the password as the MAC address. That allowed them on, so they concluded the setup complete. Unfortunately, as it appears to be completely ignoring the database, that probably never worked.

I'm still working my way around the system a bit, so I'm not sure really what would be helpful for anyone to see for this issue. I can of course provide screenshots all day long, but I'm not sure most of them would be of any benefit. What would be helpful to check in chasing down this aggravating issue?

Thanks for any assistance you can provide!

Can you please share your aaa profile config attach to that VAP ?

show  wlan virtual-ap <virtual ap name>

show aaa profile <profile name>

- Make sure you have the aaa mac authentication profile enabled 

- Make sure you have the mac server group pointed to the internal database

- And under the mac auth role whatever role you want those you users to get once they get a successful mac auth

In addition to Victor's suggestions, make sure of the following.

- within the internal database, the username and password should be the MAC of the device (not the "friendly names")

- the initial role in the AAA profile should be your captive portal role

- as Victor states, the default mac authentication role should be the "bypass" role

It seems quite obvious now that I'm looking in the proper place. The initial role was set to be MAC-Computers, which is what the authenticated role was supposed to be.

I changed it to denyall as the initial role, as the purpose behind the MAC SSID was to bypass the captive portal page (for e-readers, etc). This seems to be keeping rogue machines off the network. Here's my configs just in case anyone else runs across this issue (bolded the changed line), or in case there's a problem with doing it this way.

Thanks for the quick suggestions!

(Aruba6000) # show aaa profile MAC-Computers

AAA Profile "MAC-Computers"

---------------------------

Parameter                           Value

---------                           -----

Initial role                        MAC-Computers

MAC Authentication Profile          MAC-Computers

MAC Authentication Default Role     MAC-Computers

MAC Authentication Server Group     default

802.1X Authentication Profile       N/A

802.1X Authentication Default Role  MAC-Computers

802.1X Authentication Server Group  N/A

L2 Authentication Fail Through      Disabled

RADIUS Accounting Server Group      N/A

RADIUS Interim Accounting           Disabled

XML API server                      N/A

RFC 3576 server                     N/A

User derivation rules               N/A

Wired to Wireless Roaming           Enabled

SIP authentication role             N/A

Device Type Classification          Enabled

Enforce DHCP                        Disabled

And after the change:

(Aruba6000) # show aaa profile MAC-Computers

AAA Profile "MAC-Computers"

---------------------------

Parameter                           Value

---------                           -----

Initial role                        denyall

MAC Authentication Profile          MAC-Computers

MAC Authentication Default Role     MAC-Computers

MAC Authentication Server Group     default

802.1X Authentication Profile       N/A

802.1X Authentication Default Role  MAC-Computers

802.1X Authentication Server Group  N/A

L2 Authentication Fail Through      Disabled

RADIUS Accounting Server Group      N/A

RADIUS Interim Accounting           Disabled

XML API server                      N/A

RFC 3576 server                     N/A

User derivation rules               N/A

Wired to Wireless Roaming           Enabled

SIP authentication role             N/A

Device Type Classification          Enabled

Enforce DHCP                        Disabled

Brian,  for what its worth, if the only purpose of this SSID is for bypassing captive portal via MAC authentication; you could do this all in one SSID.   You could setup an SSID with the initial role set to your captive portal logon role and in the same profile setup MAC authentication and its default role to bypass the initial role.     

The fewer SSIDs, the better.....    

Interesting--I hadn't really thought of that.

The only caveat would be that there are some additional exceptions in the stateful firewall for the MAC SSID that aren't found in the "normal" public. Would combining both roles limit the ability to allow MAC authenticated machines to have access to a separate firewall whitelist?

If you had a single SSID with an initial role of captive portal and a mac authentication role of let's say "mac-authd" or whatever you call it today on your other SSID.   Each connecting device will get the appropriate role and firewall rules/ACLs behind it.   Essentially they behave the same; just on the other SSID.