Security

Hi Victor,

I have created a denyall role and configured this as initial role.

The clients still get authenticated and get ip addresses.

I have attached some pictures again.

Hi,

do you have a configuration example for WPA2 PSK + MAC authentication (Internal on the controller)?

Regards

Christopher

Have you seen the article here?  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-MAC-based-authentication-on-Aruba/ta-p/182430

Yes I have configured it as in this forum topic and I have add one mac as a user

But still every client can connect with the wpa 2 psk and mac authentication is still not working.

I just noticed that I have a PSK-MAC-auth SSID with way too many connected users and stumbled onto this thread looking for help.

I'm running 6.4 and 6.5 on my controllers and found Victor Fabian's tip to work for me - I changed the initial role from "logon" to "denyall" (default role) - rather than bounce the users off the wireless, I'm just waiting for them to re-auth and I watching them drop off one-by-one.

A difference in my situation is that I'm using ClearPass for the MAC auth - otherwise my configuration looks pretty much like OP.

Christopher - I seem to be having this same issue, did you ever figure out the solution?

I’m running 8.3 or greater.  Want both MAC and PSK authentication.  After PSK entry, client connects whether there is a User in the local database or not.

This article isn’t helping me: https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-MAC-based-authentication-on-Aruba/ta-p/182430

Here is the configuration for a MAC + PSK SSID. I have attached the configuration as well.

// Create an SSID Profile

(A_RAK_Master) ^[mynode] (config) #wlan ssid-profile MAC-PSK-SSID
(A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #essid A-RAK_MAC-PSK
(A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #wpa-passphrase Savetheturtles
(A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #opmode wpa2-psk-aes
(A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #exit

// Create a mac authentication profile. In my case i enter the mac as aa:bb:cc:dd:ee:ff

(A_RAK_Master) ^[mynode] (config) #aaa authentication mac MAC-PSK-AUTH
(A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #delimiter colon
(A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #case lower
(A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #exit

// Create the ACL for Initial Role

(A_RAK_Master) ^[mynode] (config) #ip access-list session MAC-PSK-INITIAL_ACL
(A_RAK_Master) ^[mynode] (config-submode)#any any any deny
(A_RAK_Master) ^[mynode] (config-submode)#exit

// Map the ACL to the Initial Role

(A_RAK_Master) ^[mynode] (config) #user-role MAC-PSK-INITIAL
(A_RAK_Master) ^[mynode] (config-submode)# access-list session MAC-PSK-INITIAL_ACL
(A_RAK_Master) ^[mynode] (config-submode)#exit

// Create the ACL for Default Role

(A_RAK_Master) ^[mynode] (config) #ip access-list session MAC-PSK-DEFAULT_ACL
(A_RAK_Master) ^[mynode] (config-submode)#any any any permit
(A_RAK_Master) ^[mynode] (config-submode)#exit

// Map the ACL to the Default Role

(A_RAK_Master) ^[mynode] (config) #user-role MAC-PSK-DEFAULT
(A_RAK_Master) ^[mynode] (config-submode)#access-list session MAC-PSK-DEFAULT_ACL
(A_RAK_Master) ^[mynode] (config-submode)#exit

// If using internal database on the controller to authenticate the devices

// Create AAA the Server Group to point to the internal database

(A_RAK_Master) ^[mynode] (config) #aaa server-group MAC-PSK-SERVER-GROUP
(A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-SERVER-GROUP") #auth-server internal
(A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-SERVER-GROUP") #exit

// If using clearpass/any external server capable of mac authentication

              // Create the aAA Authentication server for clearpass

(A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #aaa authentication-server radius CLEARPASS
(A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #host 192.115.23.45
(A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #key savetheturtles
(A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #exit

// Create the Server Group to point to CLEARPASS

(A_RAK_Master) ^[mynode] (config) #aaa server-group MAC-PSK-CLEARPASS
(A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #auth-server CLEARPASS
(A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #exit

// Create the AAA Profile and map neccessary profiles

(A_RAK_Master) ^[mynode] (config) #aaa profile MAC-PSK-AAA
(A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #initial-role MAC-PSK-INITIAL
(A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #mac-default-role MAC-PSK-DEFAULT
(A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #mac-server-group MAC-PSK-SERVER-GROUP
(A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #authentication-mac MAC-PSK-AUTH
(A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #authentication-dot1x default
(A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #exit

// Create the Virtual AP Profile and map the AAA ,SSID profiles and assign a VLAN

(A_RAK_Master) ^[mynode] (config) #wlan virtual-ap MAC-PSK
(A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #aaa-profile MAC-PSK-AAA
(A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #ssid-profile MAC-PSK-SSID
(A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #vlan 5,1,8 // to map multiple vlans use the comma
(A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #exit

// Create an AP Group and map the Virtual AP Profile

(A_RAK_Master) ^[mynode] (config) #ap-group MAC-PSK
(A_RAK_Master) ^[mynode] (AP group "MAC-PSK") #virtual-ap MAC-PSK

// Save the Configuration

(A_RAK_Master) ^[mynode] (AP group "MAC-PSK") #write mem

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.