Wireless Access

last person joined: 14 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Dual authentication - MAC and Active Directory

This thread has been viewed 2 times

  • 1.  Dual authentication - MAC and Active Directory

    Posted May 25, 2016 03:21 PM

    Currently we have five SSIDs:

    Guest - captive portal authentication to a guest VLAN

    Device - MAC authentication via the internal DB to the same guest VLAN (for Blu-Ray players and other devices that can't do the captive portal)

    Kiosk - MAC authentication via RADIUS/Active Directory to the internal LAN

    HC - 802.1x Active Directory authentication through RADIUS to the internal LAN

    Rehab - MAC authentication to the internal LAN (same as Kiosk, SSID still exists for legacy reasons only)

     

    I would like to consolidate to two SSIDs:

    Public - authenticate via MAC->Internal DB or captive portal

    Private - authenticate via MAC->RADIUS->AD, or via 802.1x->Radius>AD

    The idea behind this Private authentication scheme is that we can either pre-configure tablets for wireless authentication before shipping them out to our various locations, or people can BYOD and get on the internal network with their normal AD credentials

     

    I'm currently testing this in a lab environment. Public is working exactly the way I want it to, no issues. Public does not work. Depending on configuration, I either get the captive portal instead of 802.1x authentication, or I am completely unable to connect to the network at all.

     

    I have a case open, and have not yet gotten a resolution.

     

     

     

    Relevant config:

     

    ap-group "DualSSIDTest"
    virtual-ap "EmpResPublic"
    virtual-ap "EmpResPrivate"
    dot11a-traffic-mgmt-profile "TM-default"
    dot11g-traffic-mgmt-profile "TM-default"

     

    wlan virtual-ap "EmpResPrivate"
    aaa-profile "EmpResPrivate"
    ssid-profile "EmpResPrivate"
    vlan 101
    band-steering
    dynamic-mcast-optimization
    broadcast-filter all

    wlan virtual-ap "EmpResPublic"
    aaa-profile "EmpResPublic"
    ssid-profile "EmpResPublic"
    vlan 102
    band-steering
    dynamic-mcast-optimization
    broadcast-filter all

     

    aaa profile "EmpResPrivate"
    authentication-mac "KioskDevice-macauth-profile"
    mac-server-group "EmpResKiosk-group"
    authentication-dot1x "EmpResHC-dot1x_prof"
    dot1x-default-role "authenticated"
    dot1x-server-group "EmpResHC"
    l2-auth-fail-through

     

    aaa server-group "EmpResKiosk-group"
    allow-fail-through
    auth-server Internal
    auth-server Radius01-MacAuth
    auth-server Radius02-MacAuth

     

    aaa server-group "EmpResHC"
    auth-server Radius01
    auth-server Radius02


    aaa profile "EmpResPublic"
    initial-role "guest-logon"
    authentication-mac "Device"
    mac-server-group "Device"
    l2-auth-fail-through

     

    aaa server-group "Device"
    auth-server internal



  • 2.  RE: Dual authentication - MAC and Active Directory

    EMPLOYEE
    Posted May 25, 2016 03:31 PM
    You can use MAC as authorization source with 802.1X but you cannot use non-1X devices on a 1X SSID.