Wireless Access

Reply
Highlighted
Regular Contributor I

Dual Authentication

At my workplace, we are migrating from HP MSM760 controller and system to an Aruba MM and MD-7030 setup.

 

My question today: How would Aruba suggest to authenticate hand-held device and printer automatically to a specific WLAN?  With the HP MSM760 system we used:

 

- Pre-Shared Key along with

- MAC Address list (to allow)

 

See attached screen shot.  We were infirmed from a previous thread thta we should create a username on the controller's database instead. 

 

 https://community.arubanetworks.com/t5/Wireless-Access/How-to-authenticate-devices-to-use-a-WLAN-by-MAC-Address/td-p/480382

 

But in our case we are trying to authenticate devices not people.  The printer or scanner is not going to enter a username on a web portal.  So my question is how can we use Aruba 8.3.0.3 to automatically authenticate a device to a specific SSID (WLAN) securely?

Regular Contributor I

Re: Dual Authentication

Are we suppose to add specific user's manually to each device.  What if there is no automatically remember my password settings from a printer?

 

What if the device is prompted ny the SSID to enter a password.  Is there another more automatic way?

 

In the previous case it was recommended not to use MAC addresses.  May I ask what else we can use instead for this scenario?

Guru Elite

Re: Dual Authentication

The devices connect with a preshared key.  In addition, the controller will do mac authentication of those devices.  The format to enter into the internal database to allow a device to connect via mac authentication is 

username: mac address

password: mac address

 

That is because the internal database was really for guests, so you must enter a username and password, but for mac authentication, the controller will obtain the mac address of the devices that tries to connect to the WPA2-PSK SSID and then compare it to the username/password in the internal database.

 

The printers or devices do not see a password prompt.  Entering the mac addresses in the database is only so that mac authentication can succeed.

 

I hope that helps.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Regular Contributor I

Re: Dual Authentication

Ok,

 

So if one creates:

 

1.  A user accont in the Aruba Controller internal database

        a.  MAC address for the username and the password for that user account.

 

2.  And a MAC Authenticatin profile to be used with that specific SSID.

 

Refernce: https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-MAC-based-authentication-on-Aruba/ta-p/182430

 

Then the SSID will automatically accept the MAC address of the printer device as if it was a "MAC Address List".  Is that correct? 

 

If it is correct will we need to create a user account on each local controller (2 of them at each location)?  The majority of my confusion has to do with how the Aruba Wireless Network will recognize the user acocunts (MAC Addresses).  But it is starting to make more sense if we segment the process 1 stepa t a time.  Are the above 2 steps correct?

 

Guru Elite

Re: Dual Authentication

"Then the SSID will automatically accept the MAC address of the printer device as if it was a "MAC Address List".  Is that worrect? "  YES.

 

If it is correct will we need to create a user account on each local controller (2 of them at each location) - NO. the database is synchronized to each controller.

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Regular Contributor I

Re: Dual Authentication

Ok, so.... I am starting to understand teh requirements better.  Please confirm the below steps.  In order to authenticate via MAC address.


1.  Create a MAC Auth profile.
     a.  Step A. from:  https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-configure-MAC-based-authentication-on-Aruba/ta-p/182430

 

2.  Create the local username that will actually be used as a
    MAC address (not a username per say).  Step b.
    a.  * Using the CLI
    >local-userdb add username <macaddr> password <macaddr><enter>
    b.  Is it correct, if one adds a user account at 1 controller (internal database) then the same account will be replicated to the other local controller?
  
3.  Then Map the MAC Authenticaiton profile (created in step 1) into the respective AAA profile (Step C).
    a.  Create a new aaa profile
    >aaa profile <profile name><enter>
    >authentication-mac <profile name from step1 above><Enter>
  
Will the above plan provide the options to authe ticate from a passphrase & MAC Authentication?  Or just from the MAC Authentication?
 
In our case we have 2 x Mobility Masters and then 4 different geographical sites (groups) where there are 2 local controllers at each site/group.  
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: