Wireless Access

Hello all,

 

I hope someone can help shed some light on how AAA profiles are supposed to work on the controller (7205 model) I'm using on our network.

 

So, I have an exisitng SSID configured so that authentication is configured to RADIUS servers, this is the main SSID for our customers. However, I also need to set up another SSID with MAC address based authentication for "special devices" and a PSK is configured as the password to authenticate with.

 

My issue is I believe I have got it to work, but am not sure I understand why it works.

 

1 - I set up the SSID with "wpa2-psk-tkip" encryption.

2 - I configured the L2 Authentication to include a new MAC authentication profile.

3 - I configured a new AAA profile and set the MAC authentication to the profile in step 2.

4 - I added a VAP profile for this SSID with the AAA profile in step 3 in the AP group.

5 - I added a test device MAC address into the "Internal DB" under Security > Authentication.

 

I then tried to connect to the network using this new SSID from a test device and it failed to authenticate after putting the PSK.

 

I eventually got it working by adding the same 802.1X authentication profile being used by the main customer SSID, as well as the same RADIUS server settings all under the AAA profile settings (in step 3).

 

I'm a bit confused as to why that works, I thought I shouldn't need to include any 802.1X auth for an SSID that's supposed to work only with MAC/PSK authentication.

 

In fact, why is MAC authentication and 802.1X authentication available to configure simultaneously in a AAA profile, shouldn't they be mutually exclusive?

 

Am happy to provide more details if my question needs more clarification.

 

You should be able to use both.

Make sure you assign the default-psk authentication profile under the
802.1X authentication profile.

Where are storing the mac addresses ? the controller internal DB or an
external DB ?

Also add the final role that the device will get under the AAA Profile
Initial role

Thanks Victor,

 

I tested it again but this time without having to set the Radius profile and it worked fine. It also worked just fine with the "default-psk" authentication (I had it on the custom made dot1x profile), so that's tidied up the config, thanks for that tip!

 

Yes I did also add a custom ACL role for the devices.

 

As for the database I just added it to the Internal DB - are there any implications of doing this that I should be aware of?

 

Although I accept that it works fine, which I'm pleased with. But it just didn't make much sense to me why I would need to worry about configuring any dot1x authentication when I'm only going to use MAC authentication in this specific case.

If you are planning to have a lot of devices in the internal db is best to use an external db but if it is just a few devices then it should be fine


Pardon typos sent from Mobile

as per my understanding, first you defined "internal db" as a server in 802.1x along with 802.1x profile next is you defined a test mac within the internal db along with mac auth profile( either to use colon or semicol etc) then in AAA profile you called all the defined values to be used in a VAP.

so i believe it goes like this: when a device connects,ssid will ask for a PSK(defined in encryption) as initial security, then as a L2 auth,aruba will check your mac in internaldb (where your 802.1x prof and server + Mac auth prof works) ,if it matches in internal then device will be placed in post auth role .

i hope i explained it right lol :)

Correct