Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

WIFI 802.1x + MAC at the same time

This thread has been viewed 8 times

  • 1.  WIFI 802.1x + MAC at the same time

    Posted May 13, 2019 11:40 AM

    Hi All, 

     

    We want to deploy an SSID with 802.1x autentication (EAP -TLS) and MAC (+ Captive Portal) at the same time.


    We would use the MAC autentication for non 802.1x supplicant devices.


    As far as we know, it is not possible, but please we need you confirm it.

    Our final client wants connect to the same SSID devices that authenticates with certificates and other devices like "client brigde" that do not have 802.1x supplicant.
    Also, the client wants that if the MAC authentication fail, the device will be redirect to a Captive Portal.

    Could somebody confirm me if that is it possible?

     

    Thanks, 



  • 2.  RE: WIFI 802.1x + MAC at the same time

    Posted May 13, 2019 12:14 PM
    802.1x authentication needs to have it’s own SSID. Mac auth can be enabled on an open or PSK network.

    If MAC auth fails a captive portal can be displayed based on the role returned from clearpass or the initial role configured in the AAA profile. This is how the guest workflow works with clearpass.


  • 3.  RE: WIFI 802.1x + MAC at the same time

    Posted May 14, 2019 04:13 AM

    Thanks, 

     

    I have read that when you configure MAC + 802.1x in the same SSID you perform BOTH authentications, is it correct?  

     

    I would like to explain you my case. We have different devices:

    • PCs (have 802.1x supplicant but not configured).
    • Smartphone (with certificate installed – supplicant configured)
    • Client bridge, PIP, old printers, etc (without 802.1x supplicant, so impossible to make 802.1x authentication)

    Our final client want in the same SSID this:

     

    • PCs --> Make MAC authentication and default role redirect to a captive portal.
    • Smartphone --> Make EAP-TLS authentication and there are authenticated.
    • Client Bridge, PIP, old printer --> Make MAC authentication and there are authenticated.

    I think that when you enable WPA-AES for the 802.1x  in the SSID profile, you must do this type of encyptation mandatory to establish the association, it is right? 

     



  • 4.  RE: WIFI 802.1x + MAC at the same time
    Best Answer

    Posted May 14, 2019 05:18 AM
    You can't connect none 802.1x clients to an 802.1x SSID.
    In this case you need two SSID's


    * SSID with WPA2 802.1x authentication
    * SSID with WPA2-PSK and MAC auth (or open network)


  • 5.  RE: WIFI 802.1x + MAC at the same time

    Posted May 30, 2019 05:49 PM

    Elena, this cannot be done. First, I wrote an ArubaOS 6 book a couple of years ago and I created a role derivation flowchart which shows the role derivation logic. Go to www.westcott-consulting.com and download the free files that I have made available. You will be signing up for my mailing list (that I rarely use) and you can remove yourself. This just validates that you are a person. You will get an email (check junk area) which will provide a link to download.

     

    You can do MAC authentication followed by 802.1X/EAP. If MAC fails, with L2 failover, 802.1X/EAP would still process. If MAC fails, without L2 failover, you are disconnected. However, if it moves past the MAC authentication stage either with a success or with a failure and L2 failover enabled, 802.1X/EAP will be processed.

     

    With wireless you cannot do either or. With wired, you typically can do either/or.

     

    I hope that helps,