Wireless Access

Hi guys,

This is a great forum and I've benefited greatly from the knowledgeable posts here. I have a scenario where I need to authenticate devices based on MACs as well as their 802.1x credentials. How can I do that?

I know that in the AAA profile for a particular VAP, I can set the user roles for MAC-authentication, user-derivation rules and 802.1x but how can I tie two of them together so that the user is not authenticated until he meets both of the following conditions:

1) User's MAC address is in the user-derivation rules OR in the Internal DB (MAC Authentication)

2) 802.1x authentication

Any help is much appreciated!

Cheers

If you set both a 802.1x and MAC authentication profile, the client has to pass BOTH or the client will not be admitted to the network.  If you enable "L2 Authentication Fail Through" on the AAA profile, 802.1x authentication will continue if MAC auth is failed.  I hope this helps.

Thanks for the quick reply cjoseph. I've applied both profiles now but I can't find the "L2 Authentication Fail Through" option that you mentioned. In the AAA profile, all I see are 6 options:

Initial Role

802.1X Authentication Default Role

Wired to Wireless Roaming

MAC Authentication Default Role

User derivation rules

SIP authentication role

Where's this fail-through option?

Do you have ArubaOS 6.x?  I forgot to tell you it only exists there.

No I don't but I can get it though. Is 6.x stable though? Anything I should know about for the upgrade? It's a 4504 controller running 5.0.3.3 and a bunch of RAP-2WG APs.

You don't have to upgrade just for that.  On your current version, it just won't let devices on if they don't pass mac address authentication as well was 802.1x authentication.  

Right, I understand. It would be nice to have that option as a check box though.

Greatly appreciate your help!