Wireless Access

Contributor I

Wildcard for username in local mac auth

I have a customer that I am deploying Aruba switches in tunneled-node to the controllers and Clearpass for user/machine auth.  They also have Cisco phones.  I have CP doing mac auth for the phones by the first 6 of the mac and dot1x for the user.  However the customer doesnt care to see the phone mac request in access tracker.  The phone vlan is locked down.  So I thought I would do a AAA profile on the controller for the wired side with a server group that had the internal database ( for mac auth of the phones ) then fail through to the CP servers.  I have this setup but havent been back on site to test.  If this works than this will solve the problem with the phones mac authing to access tracker.  But that means we will have to add all mac addresses to the internal database of the controller.  Is there a way to do mac auth wildcard based access in the internal database so we dont have to add mac addresses to the internal DB?

Aruba Partner Ambassador ACMX #252, ACDX #824,ACCP, ACSA, AWMP, CCNP Wireless & Security

Re: Wildcard for username in local mac auth


You can use a user-derivation rule to wildcard the phone MAC addresses instead of using the internal user database however since the AAA-Profile has to also accomodate legitimate user/machine auth, you will still get see the MAC Auth from the phone as it will hit the same policy. Perhaps I'm confused on the setup.

Best regards,



Search Airheads
Showing results for 
Search instead for 
Did you mean: