Wireless Access

Occasional Contributor II

Dual authentication - MAC and Active Directory

Currently we have five SSIDs:

Guest - captive portal authentication to a guest VLAN

Device - MAC authentication via the internal DB to the same guest VLAN (for Blu-Ray players and other devices that can't do the captive portal)

Kiosk - MAC authentication via RADIUS/Active Directory to the internal LAN

HC - 802.1x Active Directory authentication through RADIUS to the internal LAN

Rehab - MAC authentication to the internal LAN (same as Kiosk, SSID still exists for legacy reasons only)


I would like to consolidate to two SSIDs:

Public - authenticate via MAC->Internal DB or captive portal

Private - authenticate via MAC->RADIUS->AD, or via 802.1x->Radius>AD

The idea behind this Private authentication scheme is that we can either pre-configure tablets for wireless authentication before shipping them out to our various locations, or people can BYOD and get on the internal network with their normal AD credentials


I'm currently testing this in a lab environment. Public is working exactly the way I want it to, no issues. Public does not work. Depending on configuration, I either get the captive portal instead of 802.1x authentication, or I am completely unable to connect to the network at all.


I have a case open, and have not yet gotten a resolution.




Relevant config:


ap-group "DualSSIDTest"
virtual-ap "EmpResPublic"
virtual-ap "EmpResPrivate"
dot11a-traffic-mgmt-profile "TM-default"
dot11g-traffic-mgmt-profile "TM-default"


wlan virtual-ap "EmpResPrivate"
aaa-profile "EmpResPrivate"
ssid-profile "EmpResPrivate"
vlan 101
broadcast-filter all

wlan virtual-ap "EmpResPublic"
aaa-profile "EmpResPublic"
ssid-profile "EmpResPublic"
vlan 102
broadcast-filter all


aaa profile "EmpResPrivate"
authentication-mac "KioskDevice-macauth-profile"
mac-server-group "EmpResKiosk-group"
authentication-dot1x "EmpResHC-dot1x_prof"
dot1x-default-role "authenticated"
dot1x-server-group "EmpResHC"


aaa server-group "EmpResKiosk-group"
auth-server Internal
auth-server Radius01-MacAuth
auth-server Radius02-MacAuth


aaa server-group "EmpResHC"
auth-server Radius01
auth-server Radius02

aaa profile "EmpResPublic"
initial-role "guest-logon"
authentication-mac "Device"
mac-server-group "Device"


aaa server-group "Device"
auth-server internal

Guru Elite

Re: Dual authentication - MAC and Active Directory

You can use MAC as authorization source with 802.1X but you cannot use non-1X devices on a 1X SSID. 

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
Showing results for 
Search instead for 
Did you mean: