Security

Reply
Occasional Contributor I

WPA2 PSK + MAC Authentication

Hi,

 

I want to configure a ssid with wpa2 psk and mac authentication.

But I have the problem that every client gets authenticated.

I have attached some pictures, where you can see my configuration.

I have version 8.3.0.0 installed on the controller

 

 

Regards

Christopher

MVP Guru

Re: WPA2 PSK + MAC Authentication

You need to configure a denyall role and assign it as the initial role



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I

Re: WPA2 PSK + MAC Authentication

Hi Victor,

 

I have created a denyall role and configured this as initial role.

The clients still get authenticated and get ip addresses.

I have attached some pictures again.

Occasional Contributor I

Re: WPA2 PSK + MAC Authentication

Hi,

 

do you have a configuration example for WPA2 PSK + MAC authentication (Internal on the controller)?

 

Regards

Christopher

Highlighted
Guru Elite

Re: WPA2 PSK + MAC Authentication

Occasional Contributor I

Re: WPA2 PSK + MAC Authentication

Yes I have configured it as in this forum topic and I have add one mac as a user

But still every client can connect with the wpa 2 psk and mac authentication is still not working.

 

 

MVP Expert

Re: WPA2 PSK + MAC Authentication

I just noticed that I have a PSK-MAC-auth SSID with way too many connected users and stumbled onto this thread looking for help.

 

I'm running 6.4 and 6.5 on my controllers and found Victor Fabian's tip to work for me - I changed the initial role from "logon" to "denyall" (default role) - rather than bounce the users off the wireless, I'm just waiting for them to re-auth and I watching them drop off one-by-one.

 

A difference in my situation is that I'm using ClearPass for the MAC auth - otherwise my configuration looks pretty much like OP.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
New Contributor

Re: WPA2 PSK + MAC Authentication

Christopher - I seem to be having this same issue, did you ever figure out the solution?

 

I’m running 8.3 or greater.  Want both MAC and PSK authentication.  After PSK entry, client connects whether there is a User in the local database or not.

 

This article isn’t helping me: https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-MAC-based-authentication-on-Aruba/ta-p/182430

Regular Contributor I

Re: WPA2 PSK + MAC Authentication

Here is the configuration for a MAC + PSK SSID. I have attached the configuration as well.

 

// Create an SSID Profile

 

(A_RAK_Master) ^[mynode] (config) #wlan ssid-profile MAC-PSK-SSID
(A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #essid A-RAK_MAC-PSK
(A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #wpa-passphrase Savetheturtles
(A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #opmode wpa2-psk-aes
(A_RAK_Master) ^[mynode] (SSID Profile "MAC-PSK-SSID") #exit

 

// Create a mac authentication profile. In my case i enter the mac as aa:bb:cc:dd:ee:ff

 

(A_RAK_Master) ^[mynode] (config) #aaa authentication mac MAC-PSK-AUTH
(A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #delimiter colon
(A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #case lower
(A_RAK_Master) ^[mynode] (MAC Authentication Profile "MAC-PSK-AUTH") #exit

 

// Create the ACL for Initial Role

 

(A_RAK_Master) ^[mynode] (config) #ip access-list session MAC-PSK-INITIAL_ACL
(A_RAK_Master) ^[mynode] (config-submode)#any any any deny
(A_RAK_Master) ^[mynode] (config-submode)#exit

 

// Map the ACL to the Initial Role

 

(A_RAK_Master) ^[mynode] (config) #user-role MAC-PSK-INITIAL
(A_RAK_Master) ^[mynode] (config-submode)# access-list session MAC-PSK-INITIAL_ACL
(A_RAK_Master) ^[mynode] (config-submode)#exit

 

// Create the ACL for Default Role

 

(A_RAK_Master) ^[mynode] (config) #ip access-list session MAC-PSK-DEFAULT_ACL
(A_RAK_Master) ^[mynode] (config-submode)#any any any permit
(A_RAK_Master) ^[mynode] (config-submode)#exit

 

// Map the ACL to the Default Role

 

(A_RAK_Master) ^[mynode] (config) #user-role MAC-PSK-DEFAULT
(A_RAK_Master) ^[mynode] (config-submode)#access-list session MAC-PSK-DEFAULT_ACL
(A_RAK_Master) ^[mynode] (config-submode)#exit

 

// If using internal database on the controller to authenticate the devices

// Create AAA the Server Group to point to the internal database

(A_RAK_Master) ^[mynode] (config) #aaa server-group MAC-PSK-SERVER-GROUP
(A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-SERVER-GROUP") #auth-server internal
(A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-SERVER-GROUP") #exit

 

// If using clearpass/any external server capable of mac authentication

              // Create the aAA Authentication server for clearpass

 

(A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #aaa authentication-server radius CLEARPASS
(A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #host 192.115.23.45
(A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #key savetheturtles
(A_RAK_Master) ^[mynode] (RADIUS Server "CLEARPASS") #exit

 

// Create the Server Group to point to CLEARPASS

(A_RAK_Master) ^[mynode] (config) #aaa server-group MAC-PSK-CLEARPASS
(A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #auth-server CLEARPASS
(A_RAK_Master) ^[mynode] (Server Group "MAC-PSK-CLEARPASS") #exit

 

// Create the AAA Profile and map neccessary profiles

 

(A_RAK_Master) ^[mynode] (config) #aaa profile MAC-PSK-AAA
(A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #initial-role MAC-PSK-INITIAL
(A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #mac-default-role MAC-PSK-DEFAULT
(A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #mac-server-group MAC-PSK-SERVER-GROUP
(A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #authentication-mac MAC-PSK-AUTH
(A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #authentication-dot1x default
(A_RAK_Master) ^[mynode] (AAA Profile "MAC-PSK-AAA") #exit

 

// Create the Virtual AP Profile and map the AAA ,SSID profiles and assign a VLAN

 

(A_RAK_Master) ^[mynode] (config) #wlan virtual-ap MAC-PSK
(A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #aaa-profile MAC-PSK-AAA
(A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #ssid-profile MAC-PSK-SSID
(A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #vlan 5,1,8 // to map multiple vlans use the comma
(A_RAK_Master) ^[mynode] (Virtual AP profile "MAC-PSK") #exit

 

// Create an AP Group and map the Virtual AP Profile

 

(A_RAK_Master) ^[mynode] (config) #ap-group MAC-PSK
(A_RAK_Master) ^[mynode] (AP group "MAC-PSK") #virtual-ap MAC-PSK

 

// Save the Configuration

 

(A_RAK_Master) ^[mynode] (AP group "MAC-PSK") #write mem

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

 

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: