Wireless Access

Reply
Occasional Contributor II

WIFI 802.1x + MAC at the same time

Hi All, 

 

We want to deploy an SSID with 802.1x autentication (EAP -TLS) and MAC (+ Captive Portal) at the same time.


We would use the MAC autentication for non 802.1x supplicant devices.


As far as we know, it is not possible, but please we need you confirm it.

Our final client wants connect to the same SSID devices that authenticates with certificates and other devices like "client brigde" that do not have 802.1x supplicant.
Also, the client wants that if the MAC authentication fail, the device will be redirect to a Captive Portal.

Could somebody confirm me if that is it possible?

 

Thanks, 

Super Contributor II

Re: WIFI 802.1x + MAC at the same time

802.1x authentication needs to have it’s own SSID. Mac auth can be enabled on an open or PSK network.

If MAC auth fails a captive portal can be displayed based on the role returned from clearpass or the initial role configured in the AAA profile. This is how the guest workflow works with clearpass.

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Occasional Contributor II

Re: WIFI 802.1x + MAC at the same time

Thanks, 

 

I have read that when you configure MAC + 802.1x in the same SSID you perform BOTH authentications, is it correct?  

 

I would like to explain you my case. We have different devices:

  • PCs (have 802.1x supplicant but not configured).
  • Smartphone (with certificate installed – supplicant configured)
  • Client bridge, PIP, old printers, etc (without 802.1x supplicant, so impossible to make 802.1x authentication)

Our final client want in the same SSID this:

 

  • PCs --> Make MAC authentication and default role redirect to a captive portal.
  • Smartphone --> Make EAP-TLS authentication and there are authenticated.
  • Client Bridge, PIP, old printer --> Make MAC authentication and there are authenticated.

I think that when you enable WPA-AES for the 802.1x  in the SSID profile, you must do this type of encyptation mandatory to establish the association, it is right? 

 

Super Contributor II

Re: WIFI 802.1x + MAC at the same time

You can't connect none 802.1x clients to an 802.1x SSID.
In this case you need two SSID's


* SSID with WPA2 802.1x authentication
* SSID with WPA2-PSK and MAC auth (or open network)

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Frequent Contributor II

Re: WIFI 802.1x + MAC at the same time

Elena, this cannot be done. First, I wrote an ArubaOS 6 book a couple of years ago and I created a role derivation flowchart which shows the role derivation logic. Go to www.westcott-consulting.com and download the free files that I have made available. You will be signing up for my mailing list (that I rarely use) and you can remove yourself. This just validates that you are a person. You will get an email (check junk area) which will provide a link to download.

 

You can do MAC authentication followed by 802.1X/EAP. If MAC fails, with L2 failover, 802.1X/EAP would still process. If MAC fails, without L2 failover, you are disconnected. However, if it moves past the MAC authentication stage either with a success or with a failure and L2 failover enabled, 802.1X/EAP will be processed.

 

With wireless you cannot do either or. With wired, you typically can do either/or.

 

I hope that helps,

 

David
Sr. Trainer and Author of upcoming "Understanding ArubaOS: Version 8.x" book
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: