Security

Hello guys,

I am trying to get MACTrac setup. I have created the portal for the users to create their devices. But I cannot seem to get devices to authenticate against a service that I have tried to create. I figure I am missing something, but I have been putting this together largely without much example. 

 

Does someone have an example. Looking for something really basic, simply to authenticate based on a MAC address inputted by a user. I will get more complex once I get the basics working. 

 

All the Devices I attempt to connect using a MACTrac created account seem to fall directly into the AirGroup Authorization Service and not my test service that I have created. Even when I move the service I created higher on the list. Short of making an exact copy of the AirGroup Authorization Service, I cannot get another service to process these devices.

 

You need to create a RADIUS service with the guest device repository as
your authentication source. I'll post a sample when I get home.

Should it not be RADIUS enforcement? I just assumed that was the correct option for the service since the Airgroup Authorization Service is a RADIUS enforcement service. 

 

 

I have my service set as a RADIUS Enforcement  and the only Authentication Source is the Device Repository. 

Sorry for the delayed response. Was out replacing certificates yesterday.

 

 

This worked perfectly to get devices to authenticate using that rule.

 

However, it only works if I place it higher than my Airgroup Authentication Rule. 

 

Do you have any suggestion as to a way to make devices authenticated via Device Repository fall through so they can be picked up by my MACTrac service? Essid does not seem to work. 

 

 

 

EDIT:

Or do you happen to know what makes the client hand off the Essid name when it's trying to authenticate? When connecting to our 802.1x network we do the the Essid information, but this network will not be 802.1x. 

Can you post a screenshot of your service list?

 

Here it is. I disabled the Airgroup Authorization Service and Copied it, so that I could try adding different checks to let things fall through to my test network. If I move my Test network about that, then it works, but in the training I attended they said not to put anything higher than the Aruba Default Services. 

Did you modify the default Airgroup Authorization Service? You shouldn't touch that service. It's a system level service and doesn't need to be changed.

I copied it, and as it stands right now the copy is exactly the same as the default service. My problem is, the default service is what is authenticating MAC auth usernames, so it doesn't get to the MACTrac service.

 

 

 

EDIT:

 

So I think the reason it is being picked up there is the Authentication is coming through with Radius:IETF Service-Type of Authorize-Only (17) 

 

Which was not a service type you had included in your rule. Where are these Service-Types set/configured? 

You shouldn't have authorize-only in your MACTrac service. This is an authentication, not an authorization. Mirror the same service rules that I posted in the screenshot above and add another rule for the ESSID.

I had copied exatly what you have. That does not stop the Airgroup Authorization Service from picking up the clients. 

 

So far it looks like they are coming through with the Service-Type of 17. Where is the service type set for clients?

 

Hm. Something is off. I have AirGroup Authorization as service #1 and my MAC-Auth requests are still making it down to the MACTrac Service.

 

What format are you using for MAC authentication in the controller? Is it hyphen?

 

My MAC authentication was set to none. I changed it to be hyphen. The only change I see with that is that the computer I am using to test now hits our guest portal. So I feel like it's gone the correct direction at least. But instead of authenticating it just goes straight to our captive portal.