Wireless Access

Contributor I

Internal database MAC machine authentication

We have 2 virtual-ap's:

- One public SSID with captive portal and mac authentication. The mac addresses that have been added to the internal database bypass the captive portal and go straight to Internet. Unknown mac addresses get the captive portal and require a login.

- One corporate SSID with 802.1x client and machine authentication enforced where only valid domain computers and users are allowed.


We noticed that client mac addresses added in the internal database for the public SSID get full rights to the corporate SSID after authenticating with username and password.


I believe I found the explanation: Aruba will store mac adresses that have machine authenticated in the internal DB for 24 hours. The AAA profile will see a valid user authentication and a valid MAC address in the database, so it will give full rights to that device. However the machine authentication on these devices never took place...


How can we solve this ? You cannot create a second internal DB. Changing the "MAC Authentication Server Group" in the AAA profile does not work. Any ideas?



Guru Elite

Re: Internal database MAC machine authentication


For your public captive portal, change the mac authentication format or delimeter so it does not match that of your enforce machine authentication format. You would change this in theac authentication profile. You will probably have to re-enter all of your mac addresses to match the new format, of course.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
Showing results for 
Search instead for 
Did you mean: