Wireless Access

Reply
Highlighted

802.1X auth + MAC auth

hay

is it possible to mix

802.1X authentication in the radius server + mac authentication in the local db

and if it is possible , will this not allow users with registred mac address to access freely to the Guest ssid (in the case  of using captive portal)


Raouf CHAHBOUNE
ICT Network & Security Engineer
CCNP R/S | CCNA Security | ACMP|ACCP|ACDX



[If my post is helpful please give kudos, or mark as solved if it answers your post.]

Accepted Solutions
Highlighted

Re: 802.1X auth + MAC auth

This is not possible on a WLAN...this can work on a wired LAN.  

 

 

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos

View solution in original post

Highlighted
Valued Contributor II

Re: 802.1X auth + MAC auth

Hi,

 

It is obsolutely possible to configure both MAC and dot1x together. even possible to configure MAC with internal and dot1x with external radius.

 

the trick is post auth role of MAC authentication, change it to logon role so that it can allow required traffic otherwise if it is a guest role you may issues.

 

in the bellow output you can see that I have enabled both MAC and dot1x auth in the AAA profile and auth trace buff you can see both are success full.

 

Hope you got the answer,

 

feel free to ask furhter questions if you have any.

 

Cheers,

Venu Puduchery

 

for your Ref :

 

(Aruba3200) #show aaa profile MyAAA

AAA Profile "MyAAA"
-------------------
Parameter Value
--------- -----
Initial role logon
MAC Authentication Profile MyMAC
MAC Authentication Default Role logon
MAC Authentication Server Group internal
802.1X Authentication Profile Mydot1x
802.1X Authentication Default Role authenticated
802.1X Authentication Server Group MyServer
Download Role from CPPM Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled

 

 

 

 

 

Dec 4 19:26:03 station-down * 40:30:04:83:fa:21 24:de:c6:b9:62:18 - -
Dec 4 19:26:20 mac-auth-req -> 40:30:04:83:fa:21 24:de:c6:b9:62:18 - -
Dec 4 19:26:20 mac-auth-success <- 40:30:04:83:fa:21 24:de:c6:b9:62:18 - -
Dec 4 19:26:20 station-up * 40:30:04:83:fa:21 24:de:c6:b9:62:18 - - wpa2 aes
Dec 4 19:26:20 station-term-start * 40:30:04:83:fa:21 24:de:c6:b9:62:18 10 -
Dec 4 19:26:25 client-finish -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - -
Dec 4 19:26:25 server-finish <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 61
Dec 4 19:26:25 server-finish-ack -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - -
Dec 4 19:26:25 inner-eap-id-req <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 35
Dec 4 19:26:25 inner-eap-id-resp -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - - jack
Dec 4 19:26:25 eap-mschap-chlg <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 67
Dec 4 19:26:25 eap-mschap-response -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x 8 49
Dec 4 19:26:25 mschap-request -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x 8 - jack
Dec 4 19:26:25 mschap-response <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Myradius - - jack
Dec 4 19:26:25 eap-mschap-success <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 83
Dec 4 19:26:25 eap-mschap-success-ack-> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - -
Dec 4 19:26:25 eap-tlv-rslt-success <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 43
Dec 4 19:26:25 eap-tlv-rslt-success -> 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 2
Dec 4 19:26:25 eap-success <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 4
Dec 4 19:26:25 wpa2-key1 <- 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 117
Dec 4 19:26:25 wpa2-key2 -> 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 117
Dec 4 19:26:25 wpa2-key3 <- 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 151
Dec 4 19:26:25 wpa2-key4 -> 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 95

 

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]

View solution in original post


All Replies
Highlighted
Moderator

Re: 802.1X auth + MAC auth

No. You would need ClearPass to do MAC authorization with 802.1X


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted

Re: 802.1X auth + MAC auth

I thought it was possible
I already tried the auth PSK + MAC auth (local db) and work
why is 802.1X authentication different


Raouf CHAHBOUNE
ICT Network & Security Engineer
CCNP R/S | CCNA Security | ACMP|ACCP|ACDX



[If my post is helpful please give kudos, or mark as solved if it answers your post.]
Highlighted
Moderator

Re: 802.1X auth + MAC auth

Not sure what you're asking here.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Moderator

Re: 802.1X auth + MAC auth

With PSK there is no identity. 802.1X uses a user or device identity. MAC address can only be used as authorization information after a successful authentication to derive a final role.

You will need a policy engine like ClearPass to do what you are asking.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted

Re: 802.1X auth + MAC auth

This is not possible on a WLAN...this can work on a wired LAN.  

 

 

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos

View solution in original post

Highlighted
Valued Contributor II

Re: 802.1X auth + MAC auth

Hi,

 

It is obsolutely possible to configure both MAC and dot1x together. even possible to configure MAC with internal and dot1x with external radius.

 

the trick is post auth role of MAC authentication, change it to logon role so that it can allow required traffic otherwise if it is a guest role you may issues.

 

in the bellow output you can see that I have enabled both MAC and dot1x auth in the AAA profile and auth trace buff you can see both are success full.

 

Hope you got the answer,

 

feel free to ask furhter questions if you have any.

 

Cheers,

Venu Puduchery

 

for your Ref :

 

(Aruba3200) #show aaa profile MyAAA

AAA Profile "MyAAA"
-------------------
Parameter Value
--------- -----
Initial role logon
MAC Authentication Profile MyMAC
MAC Authentication Default Role logon
MAC Authentication Server Group internal
802.1X Authentication Profile Mydot1x
802.1X Authentication Default Role authenticated
802.1X Authentication Server Group MyServer
Download Role from CPPM Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled

 

 

 

 

 

Dec 4 19:26:03 station-down * 40:30:04:83:fa:21 24:de:c6:b9:62:18 - -
Dec 4 19:26:20 mac-auth-req -> 40:30:04:83:fa:21 24:de:c6:b9:62:18 - -
Dec 4 19:26:20 mac-auth-success <- 40:30:04:83:fa:21 24:de:c6:b9:62:18 - -
Dec 4 19:26:20 station-up * 40:30:04:83:fa:21 24:de:c6:b9:62:18 - - wpa2 aes
Dec 4 19:26:20 station-term-start * 40:30:04:83:fa:21 24:de:c6:b9:62:18 10 -
Dec 4 19:26:25 client-finish -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - -
Dec 4 19:26:25 server-finish <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 61
Dec 4 19:26:25 server-finish-ack -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - -
Dec 4 19:26:25 inner-eap-id-req <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 35
Dec 4 19:26:25 inner-eap-id-resp -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - - jack
Dec 4 19:26:25 eap-mschap-chlg <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 67
Dec 4 19:26:25 eap-mschap-response -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x 8 49
Dec 4 19:26:25 mschap-request -> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x 8 - jack
Dec 4 19:26:25 mschap-response <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Myradius - - jack
Dec 4 19:26:25 eap-mschap-success <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 83
Dec 4 19:26:25 eap-mschap-success-ack-> 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - -
Dec 4 19:26:25 eap-tlv-rslt-success <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 43
Dec 4 19:26:25 eap-tlv-rslt-success -> 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 2
Dec 4 19:26:25 eap-success <- 40:30:04:83:fa:21 24:de:c6:b9:62:18/Mydot1x - 4
Dec 4 19:26:25 wpa2-key1 <- 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 117
Dec 4 19:26:25 wpa2-key2 -> 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 117
Dec 4 19:26:25 wpa2-key3 <- 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 151
Dec 4 19:26:25 wpa2-key4 -> 40:30:04:83:fa:21 24:de:c6:b9:62:18 - 95

 

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]

View solution in original post

Highlighted
Moderator

Re: 802.1X auth + MAC auth

While it may work, the behavior is not predictable and adds immense complication. It also does not scale.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Occasional Contributor II

Re: 802.1X auth + MAC auth

Hi rchahboune,

 

How can you configure authenticated PSK + MAC auth? I tried on OS 8.3 but not.

 

Thank you.

Highlighted
New Contributor

Re: 802.1X auth + MAC auth

Hi Venu,

 

It is a very old article but I am in a similar problem.

 

Is this solution possible with iAP? I comment it, because your solution seems for a mobility controller.

 

We have 802.1X autentication with a SSID.

 

But if I select "Autentication server 2: InternalSever" (I've previously entered their MAC addresses in local db) and check "perform MAC authentication before 802.1X", users cannot connect, they don't even get the pop-up to enter their username and password

 

Thanks

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: