Security

last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

WPA2 PSK + MAC Authentication

This thread has been viewed 124 times

  • 1.  WPA2 PSK + MAC Authentication

    Posted Sep 17, 2018 11:05 AM

    Hi,

     

    I want to configure a ssid with wpa2 psk and mac authentication.

    But I have the problem that every client gets authenticated.

    I have attached some pictures, where you can see my configuration.

    I have version 8.3.0.0 installed on the controller

     

     

    Regards

    Christopher



  • 2.  RE: WPA2 PSK + MAC Authentication

    Posted Sep 17, 2018 11:15 AM
    You need to configure a denyall role and assign it as the initial role



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 3.  RE: WPA2 PSK + MAC Authentication

    Posted Sep 17, 2018 12:06 PM

    Hi Victor,

     

    I have created a denyall role and configured this as initial role.

    The clients still get authenticated and get ip addresses.

    I have attached some pictures again.



  • 4.  RE: WPA2 PSK + MAC Authentication

    Posted Oct 04, 2019 09:04 AM

    Christopher - I seem to be having this same issue, did you ever figure out the solution?

     

    I’m running 8.3 or greater.  Want both MAC and PSK authentication.  After PSK entry, client connects whether there is a User in the local database or not.

     

    This article isn’t helping me: https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-MAC-based-authentication-on-Aruba/ta-p/182430



  • 5.  RE: WPA2 PSK + MAC Authentication

    Posted Oct 04, 2019 11:05 AM
      |   view attached

    Here is the configuration for a MAC + PSK SSID. I have attached the configuration as well.

     

    // Create an SSID Profile

     

    (A_RAK_Master) ^[mynode] (config) #wlan ssid-profile MAC-PSK-SSID
    (A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #essid A-RAK_MAC-PSK
    (A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #wpa-passphrase Savetheturtles
    (A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #opmode wpa2-psk-aes
    (A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #exit

     

    // Create a mac authentication profile. In my case i enter the mac as aa:bb:cc:dd:ee:ff

     

    (A_RAK_Master) ^[mynode] (config) #aaa authentication mac MAC-PSK-AUTH
    (A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #delimiter colon
    (A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #case lower
    (A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #exit

     

    // Create the ACL for Initial Role

     

    (A_RAK_Master) ^[mynode] (config) #ip access-list session MAC-PSK-INITIAL_ACL
    (A_RAK_Master) ^[mynode] (config-submode)#any any any deny
    (A_RAK_Master) ^[mynode] (config-submode)#exit

     

    // Map the ACL to the Initial Role

     

    (A_RAK_Master) ^[mynode] (config) #user-role MAC-PSK-INITIAL
    (A_RAK_Master) ^[mynode] (config-submode)# access-list session MAC-PSK-INITIAL_ACL
    (A_RAK_Master) ^[mynode] (config-submode)#exit

     

    // Create the ACL for Default Role

     

    (A_RAK_Master) ^[mynode] (config) #ip access-list session MAC-PSK-DEFAULT_ACL
    (A_RAK_Master) ^[mynode] (config-submode)#any any any permit
    (A_RAK_Master) ^[mynode] (config-submode)#exit

     

    // Map the ACL to the Default Role

     

    (A_RAK_Master) ^[mynode] (config) #user-role MAC-PSK-DEFAULT
    (A_RAK_Master) ^[mynode] (config-submode)#access-list session MAC-PSK-DEFAULT_ACL
    (A_RAK_Master) ^[mynode] (config-submode)#exit

     

    // If using internal database on the controller to authenticate the devices

    // Create AAA the Server Group to point to the internal database

    (A_RAK_Master) ^[mynode] (config) #aaa server-group MAC-PSK-SERVER-GROUP
    (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-SERVER-GROUP") #auth-server internal
    (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-SERVER-GROUP") #exit

     

    // If using clearpass/any external server capable of mac authentication

                  // Create the aAA Authentication server for clearpass

     

    (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #aaa authentication-server radius CLEARPASS
    (A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #host 192.115.23.45
    (A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #key savetheturtles
    (A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #exit

     

    // Create the Server Group to point to CLEARPASS

    (A_RAK_Master) ^[mynode] (config) #aaa server-group MAC-PSK-CLEARPASS
    (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #auth-server CLEARPASS
    (A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #exit

     

    // Create the AAA Profile and map neccessary profiles

     

    (A_RAK_Master) ^[mynode] (config) #aaa profile MAC-PSK-AAA
    (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #initial-role MAC-PSK-INITIAL
    (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #mac-default-role MAC-PSK-DEFAULT
    (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #mac-server-group MAC-PSK-SERVER-GROUP
    (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #authentication-mac MAC-PSK-AUTH
    (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #authentication-dot1x default
    (A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #exit

     

    // Create the Virtual AP Profile and map the AAA ,SSID profiles and assign a VLAN

     

    (A_RAK_Master) ^[mynode] (config) #wlan virtual-ap MAC-PSK
    (A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #aaa-profile MAC-PSK-AAA
    (A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #ssid-profile MAC-PSK-SSID
    (A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #vlan 5,1,8 // to map multiple vlans use the comma
    (A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #exit

     

    // Create an AP Group and map the Virtual AP Profile

     

    (A_RAK_Master) ^[mynode] (config) #ap-group MAC-PSK
    (A_RAK_Master) ^[mynode] (AP group "MAC-PSK") #virtual-ap MAC-PSK

     

    // Save the Configuration

     

    (A_RAK_Master) ^[mynode] (AP group "MAC-PSK") #write mem

     

     

    --Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
    --Problem Solved? Click "Accepted Solution" in a post.

     

    Attachment(s)

    txt
    mac+psk.txt   4 KB 1 version


  • 6.  RE: WPA2 PSK + MAC Authentication

    Posted Jan 05, 2022 12:05 PM
    I know this is old. I did what Mr.RFC said, but my phone (using as test) won't authenticate at all. I'm quite sure it's with the mac auth portion. Are there debug commands to see what is going on? Running Version 8.8.0.1. I do have the phone mac address in the internal db, using same format as (colon, lower case).

    ------------------------------
    Mark Reimer
    ------------------------------

    Original Message


  • 7.  RE: WPA2 PSK + MAC Authentication

    EMPLOYEE
    Posted Jan 06, 2022 09:48 AM
    What is the output of 'show auth-tracebuf'? There you can see the username being sent. Also, for MAC auth make sure you have an account that has the username and password both set to the mac address in the right format (colon, lower case if that is what you configured).

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 8.  RE: WPA2 PSK + MAC Authentication

    Posted Jan 06, 2022 10:21 AM
    I found the problem why I couldn't authenticate. My phone was set to random mac address. My bad.

    Thanks for the help.




    Original Message


  • 9.  RE: WPA2 PSK + MAC Authentication

    Posted Jan 06, 2022 10:25 AM
    But I have come up with another issue. A device that does not have a static entry in the internal database is able to authenticate. I think it's because that device has a cache entry (from another SSID) in the database. So the cache entry is allowing the device that I don't want to authenticate, to authenticate.

    Is there a solution to this issue? Or am I barking up the wrong tree? Perhaps changing the role in the internal database will do it (but change it to what???)?

    Thanks for the help.



    Original Message


  • 10.  RE: WPA2 PSK + MAC Authentication

    Posted Sep 18, 2018 02:39 AM

    Hi,

     

    do you have a configuration example for WPA2 PSK + MAC authentication (Internal on the controller)?

     

    Regards

    Christopher



  • 11.  RE: WPA2 PSK + MAC Authentication

    EMPLOYEE


  • 12.  RE: WPA2 PSK + MAC Authentication

    Posted Sep 18, 2018 05:33 AM

    Yes I have configured it as in this forum topic and I have add one mac as a user

    But still every client can connect with the wpa 2 psk and mac authentication is still not working.

     

     



  • 13.  RE: WPA2 PSK + MAC Authentication

    Posted Mar 13, 2019 02:50 PM

    I just noticed that I have a PSK-MAC-auth SSID with way too many connected users and stumbled onto this thread looking for help.

     

    I'm running 6.4 and 6.5 on my controllers and found Victor Fabian's tip to work for me - I changed the initial role from "logon" to "denyall" (default role) - rather than bounce the users off the wireless, I'm just waiting for them to re-auth and I watching them drop off one-by-one.

     

    A difference in my situation is that I'm using ClearPass for the MAC auth - otherwise my configuration looks pretty much like OP.