Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Configuring an open SSID with mac authetication

This thread has been viewed 73 times

  • 1.  Configuring an open SSID with mac authetication

    Posted Feb 22, 2017 01:09 PM

    I am intending to allow few legacy devices on open ssid, however would want to have mac authenticaiton enabled to prevent unwanted users connected on to this SSID.

    For this:

    • I have created a VAP profile with SSID for open authentication.
    • Created a MAC authentication profile (Security --> Authentication -->  L2 Authentication --> MAC Authentication)
    • Added the MAC address of the end host which needs to get connected on the open SSID (Security --> Authentication --> Servers --> Internal database --> add user --> Have added mac address of end host in username and Password  and added it.

    From here I am lost. What should I be doing to have this end host mac address be mapped against the VAP profile?

     

    As always appreciate valuable responses here.

     

    Thanks



  • 2.  RE: Configuring an open SSID with mac authetication

    EMPLOYEE


  • 3.  RE: Configuring an open SSID with mac authetication

    Posted Feb 22, 2017 02:07 PM

    Thanks Joseph

    C. Map this MAC authentication profile into the respective aaa profile.

    Example:

    aaa profile <profile name>
    authentication-mac <profile name>

     

    After mapping the mac-authentication profile to aaa profile of vap, what should be the "initial role", "mac authentication default role", & "dot1x authentication default role" be mapped with as "user roles" in order to ensure that the users on the SSID are forced to under to mac authentication?



  • 4.  RE: Configuring an open SSID with mac authetication
    Best Answer

    EMPLOYEE
    Posted Feb 22, 2017 02:21 PM

    The initial role is what users will get if they do not pass mac authentication.  The mac authentication role is what they will get if they pass.  All devices will be mac authenticated and get the mac authentication role if they pass mac authentication.



  • 5.  RE: Configuring an open SSID with mac authetication

    Posted Feb 28, 2017 06:12 AM

    As Coli said - initial role is the role every device that connects will be placed in, unless they pass the mac-auth and are placed in the mac-auth role.

    So for your case - create a denyall role and add that as your initial-role to prevent non-authorized devices to using the network.



  • 6.  RE: Configuring an open SSID with mac authetication

    Posted Nov 17, 2017 07:39 PM

    Please allow me to be very explicit.  If a device fails MAC authentication, it will be place in the role labeled "Initial role" in the Configuration > Security > Authentication > Profiles > AAA Profiles > <name>.  If a device passes MAC authentication, it is place in the role specified as "MAC Authentication Default Role" in that same screen.  Is that correct?  Is there some other way I can verify that MAC authentication succeeded?



  • 7.  RE: Configuring an open SSID with mac authetication

    EMPLOYEE
    Posted Nov 17, 2017 09:46 PM

    The way you mention is how you would validate that mac authentication has passed.  What is your workflow?