Wireless Access

Reply
New Contributor

Assign Role if Auth fails

Hi,

 

I'm trying  to create a configuration that will allow user to connect to the same SSID and then be dispatched into multiple VLAN based on MAC-Auth.

 

If MAC-Auth fails the idea is to place the user in a default VLAN. That will allow us to register only specific MAC to gain access to some VLAN.

 

802.1x is not possible as it will require change on remote endpoint

 

For the moment everything works well with the know MAC. Radius send a Accept with the valid return attribute. Unfortunately for unknwown MAC on the RADIUS we receive a rejet and User is deauthenticated...

 

is there a way to change this ?

 

Thank you

 

Best regards

 

Nicolas

Highlighted

Re: Assign Role if Auth fails

You are probably looking to replace [MAC Auth] with [Allow All MAC Auth], which will allow authentication for unknown mac addresses as well.

 

Check this video on where to change it, and I think there is some explanation with it as well.

 

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor I

Re: Assign Role if Auth fails

Hello,

 

Thank you for your answer.

Sadly, I think something has been misunderstood we do not have a clearpass server in this topology.

 

Only a Mobility controller (7205) who is forwarding MAC auth requests to an NPS.

As it is not possible on the NPS side to have a "allow all mac auth" we would like to know if there is something like "MAC Default Role" at controller-side who could be used as user role even if we receive a mac auth fails from NPS.

 

We tried that already but without success.

 

Any ideas?

 

 

Guru Elite

Re: Assign Role if Auth fails

Use the initial role.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Assign Role if Auth fails

Hello,

 

That is what we did of course. But it does not work.

We have opened a TAC case.

 

For the information our version is : 

6.5.4.4

Apparently we would be in precense of a bug. Waiting for confirmation.

Super Contributor I

Re: Assign Role if Auth fails

AFAIK the initial role is before authentication. If the NPS send back a reject then you will not get the initial role anymore, right?

 

Cheers, Frank
Aruba Partner Ambassador| AMFX#22| ACCX#613| ACMX#733| ACDX#744

If you like my posts, kudo's are welcome. If it solves your problem, please click 'Accept as Solution'

Re: Assign Role if Auth fails

Unless you have L2 authentication fallback enabled, that is true. You could use that in this case.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: