Community Home > Discuss > Technology > Security > User Roles and WPA2-PSK

Security

Reply
exd42062
Occasional Contributor II
exd42062

User Roles and WPA2-PSK

‎11-15-2014 04:43 PM

How is user role determined from WPA2-PSK method of authentication?

 

 

Alert a Moderator
Message 1 of 8
2,972 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: User Roles and WPA2-PSK

‎11-15-2014 04:46 PM

By default, the user-role is what is defined as the initial role in the AAA profile. You can also use user derivation rules or RADIUS with MAC authentication for dynamic role assignment.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Alert a Moderator
Message 2 of 8
2,972 Views
Reply
exd42062
Occasional Contributor II
exd42062

Re: User Roles and WPA2-PSK

‎11-15-2014 04:48 PM

Ahhhh....so you can't define a post-authentication role for that method? 

Alert a Moderator
Message 3 of 8
2,971 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: User Roles and WPA2-PSK

‎11-15-2014 05:02 PM

No, because no authentication has occurred. You would need to add MAC authentication.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Alert a Moderator
Message 4 of 8
2,956 Views
Reply
0 Kudos
osinstructor@gmail.com
New Contributor
osinstructor@gmail.com

Re: User Roles and WPA2-PSK

‎03-21-2017 12:22 AM

Hi Tim.

 

Does this mean you can do PSK auth, have a device get the AAA initial role, then have that role subsequently changed by a user derivation rule?   It says in the docs that user derivation rules apply pre-authentication, I thought that meant it would only apply to open SSID users.  Please confirm.  thank you.

 

Neal

Alert a Moderator
Message 5 of 8
1,969 Views
Reply
0 Kudos
Guru Elite Guru Elite
Guru Elite
cappalli

Re: User Roles and WPA2-PSK

‎03-21-2017 08:20 AM

Yes, the deriviation rule would be evaluated.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Alert a Moderator
Message 6 of 8
1,954 Views
Reply
MVP Expert
MVP Expert
fjulianom

Re: User Roles and WPA2-PSK

‎07-14-2017 09:16 AM

Hi Tim,

 

You said:

 

No, because no authentication has occurred.

 

With WPA2-PSK you must enter the preshared key when you connecto to the network and the controller checks that preshared key, it is correct you can access the network, otherwise you can't. For me this is a kind of authentication, do you mean an authentication based on user?

 

Regards,

Julián

Alert a Moderator
Message 7 of 8
1,706 Views
Reply
0 Kudos
joshcurrier
Occasional Contributor II
joshcurrier

Re: User Roles and WPA2-PSK

‎07-19-2017 07:36 AM

I think Tim means that no authentication has occurred against Clearpass.  I asked a similar question a while back here: https://community.arubanetworks.com/t5/Security/PSK-SSID-Endpoint-Repository-for-role-assignment/m-p/297425#M31804

 

Once MAC auth was configured, I was able to leverage additional authorization steps against Clearpass to determine which role the client should be getting.

Alert a Moderator
Message 8 of 8
1,658 Views
Reply
0 Kudos
Search Airheads
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

© Copyright 2018 Hewlett Packard Enterprise Development LP
All Rights Reserved.
Powered by Lithium