Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Wireless Mac Device Authentication

This thread has been viewed 9 times

  • 1.  Wireless Mac Device Authentication

    Posted Nov 07, 2014 01:33 PM

    I am trying to setup Mac Auth in our environment, but dont seem to be having to much luck (I am not way familiar with Aruba to begin with). I currently have an SSID (Guest), which has users login via a captive portal. The SSID is accessed with a preshared key (just to conserve IP addresses).

    I would like to have certain devices at the campus (possibly several labs of wireless devices) connect to this same SSID, but bypass the captive portal based on their Mac Address being in a certain group.

    I've created a Static Host List with the mac addresses. However, I cannot seem to figure out a way to implement this list. Anyone has any advice, is this possible in the way that I am suggesting? Many thanks!



  • 2.  RE: Wireless Mac Device Authentication

    EMPLOYEE
    Posted Nov 07, 2014 02:02 PM

    Use the Allow All MAC Auth method, add Static Host Lists as an authorization source and then add a rule at the top of your enforcement policy that checks to see if the MAC address belongs to that group.

     

    connection-mac-belongsto.JPG



  • 3.  RE: Wireless Mac Device Authentication

    Posted Nov 12, 2014 05:31 AM
    But would that bypass the captive portal we currently have for Guests on that SSID, or would something like this require a totally separate SSID? We want to keep the captive portal on the SSID, but if the system sees a Mac address that is allowed connect to the SSID, the device bypasses that SSID and is placed in some role. The current setup is an Instant AP cluster that we manage in with a Template in Airwave.
    Guests connecting to their SSID have rules in ClearPass that require ALL matched:

    Radius:IETF____Calling-Station-Id____EXISTS
    Connection____Client-Mac-Address_____NOT EQUALS____ %{Radius:IETF:User-Name}
    Radius:Aruba___Aruba-Essid-Name____EQUALS____Guest

    -Dave


  • 4.  RE: Wireless Mac Device Authentication

    EMPLOYEE
    Posted Nov 12, 2014 06:27 AM
    Yes as long as the rule is higher than your guest rules in the enforcement policy.


  • 5.  RE: Wireless Mac Device Authentication
    Best Answer

    Posted Nov 07, 2014 02:03 PM

    Try the following:

    Make sure that in the controller you define :

    - Mac auth profile

    - Mac authentication server - ClearPass Server

    2014-11-07 13_56_05-ClearPass Policy Manager - Aruba Networks.png

     

    2014-11-07 13_56_25-ClearPass Policy Manager - Aruba Networks.png



  • 6.  RE: Wireless Mac Device Authentication

    Posted Nov 13, 2014 09:43 AM

    Thanks everyone. It took some playing around, but we were missing the Mac Caching and a few other options. This did help though. So now we have some mac devices that bypass the captive portal and are placed in a separate VLAN.

     

     

    Thanks!