Wireless Access

Can I manually add mac addresses to the internal database on the controller to only allow certain machines access to our wireless network? I don't know enough about 802.1x or RADIUS nor have the time to set that up at this time. We are a Novell Edirectory environment and down the road I would like to setup some sort of LDAP referencing for user authentication as well.

Yes.

First you setup your WLAN how you want it, without mac authentication. Next, edit that AAA profile (configuration> Security> Authentication.. Find your AAA profile and edit it). Add a mac authentication profile that specifies the format and delimeter of mac addresses (space, no space, colons, etc). Also add a mac authentication server group of default to the same AAA profile. Next, make sure you add a user to the internal database which has a username and password of that mac address, in the same format that you specified in the profile above. Users who are successful will get the mac authentication default role. Users who are not, will get the initial role of the AAA profile.

I can't get this to work.
I have created a test ssid "IO" opmode open.
I created a mac authen profile called Internet-Only:

AAA Profile "Internet-Only"
---------------------------
Parameter Value
--------- -----
Initial role logon
MAC Authentication Profile Internet-Only
MAC Authentication Default Role Internet-Only
MAC Authentication Server Group default
802.1X Authentication Profile N/A
802.1X Authentication Default Role guest
802.1X Authentication Server Group N/A
RADIUS Accounting Server Group N/A
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A

 

I have two test laptops.

I have entered one test laptop mac address as username and password in the internal database.

 

Both laptops are able to connect.

 

TIA

 

In the mac authentication profile, the format of the mac addresses must match the format that you put the macs in the internal database as username and password.  If a device does not pass mac authentication, it remains in the initial role of that AAA profile, which is "logon"

You can see my AAA profile in the attachment.

Internet-Only is set with no delimiter, lower case, and max fail 5.

I have entered the mac, accordingly, as user name and password in the internal database.

 

How do you view the actual user entries that were configured in the internal database?

show user-table authentication-method mac or show  user-table internal does not have any entries.

 

TIA

show local-userdb will show you the entries.

Going to venture on a guess here.  When you say both machines can connect I bet they connect using the logon role as it is your default initial role.  You may consider changing that to a deny role unless it is a known MAC.  Use 'show user-table' to determine what role the device is being placed into.

 

They are being logged in by the logon initial role.

 

As cjoseph says "If a device does not pass mac authentication, it remains in the initial role of that AAA profile, which is "logon"""

 

What is preventing the laptop with the mac "supposedly" in the internal database from connecting with my Internet-Only MAC Authentication Profile?

 

TIA

Hi,

 

I have 620 controller and Ap 105.  user is asking to configure mac autentication ....

 

I am new to configuration ..please help me step by step.

 

Regards

Muthu

---

muthu@texonic.com wrote:

Hi,

 

I have 620 controller and Ap 105.  user is asking to configure mac autentication ....

 

I am new to configuration ..please help me step by step.

 

Regards

Muthu

---

Please see the link here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1126

 

hi,

 

 

I seen the document in that mac profile name means SSID or Name (default )..

 

Regards

N.Muthu

Hi Cjoseph,

 

Thanks very much it is working ..

 

Regards 

N.muthu

Excellent!

show local-userdb

 

All it is showing me is the admin username I entered, no mac address.

I entered the MAC via the CLI and I can now see it.

Furthering my distrust with any type of GUI configuration........

What steps did you take to enter it into the GUI?  There are two apply buttons Visible in the GUI when you enter devices in the local database.

Security>Authentication>Servers>Internal DB Add User.

Mac in username/password.

Apply.

 

Shows "Configuration Updated successfully."

Click on Internal DB and the user is not there.

Ah.  There are two "apply" buttons on the page.  The one lower down and to the right will result in "configuration applied successfully", but will not add it.  The one right under where you add the username, will result in the mac being added.

 

One more point to keep in mind.  When using the Internal Database the entries need to be on the master/standalone controller.  If you have a multi controller environment entering on the local controllers database will not result in a successful authentication.  By default the master controllers database is used by all master-local controllers unless you force the local controllers database to be activated by using "aaa authentication-server internal use-local-switch".

That's how we've been doing it. You have to be careful to put the MAC address in perfectly. It goes into the internal DB as both username and password. I would say that it works up to a limit - I don't know the number, but we now have 400+ devices and I feel like it's choking up a bit at this point.

I can remember exactly where, but somewhere is a setting which specifies the format of the MAC address in the internal DB. Mine is all caps with dashes between the pairs.

---

That's how we've been doing it. You have to be careful to put the MAC address in perfectly. It goes into the internal DB as both username and password. I would say that it works up to a limit - I don't know the number, but we now have 400+ devices and I feel like it's choking up a bit at this point.

I can remember exactly where, but somewhere is a setting which specifies the format of the MAC address in the internal DB. Mine is all caps with dashes between the pairs.

---

That is located in the mac authentication profile, attached to the AAA profile says whether:

- There is a delimiter or not
- What delimiter it is (colon or dash)
- Captival Letters or Small