Wireless Access

A customer want to use 1 ssid for his cooperative wlan.

But customer have lots of different wifi client. most of them are laptops and do support 802.1x.

But customer will use also device for ex. temp monitoring and they do not support 802.1x

 

No we are searching for the possibility to do authentication for the devices supporting 802.1x by username/password.

And for the devices not supporting 802.1x by mac authentication.

For both we will use the same radius server.

 

my problem is when using 1 ssid, we have configure at ssid profile type of encryption : ex WPA, WPA2, but then you will use already 802.1x;

So how I can associate devices that not supporting 802.1x on that ssid?

There is also somthing L2 authentication fail through at AAA profile.

 

so my question is

to do mac authentication for devices not supporting 802.1x and to username/password authentication for devices supporting 802.1x on the same SSID?

 

regards

You need a different and separate SSID to WPA2-PSK encryption for those devices.  You can have WPA2-PSK and mac authentication on the same SSID.

Hi,

 

could you tell me what the option "L2 authentication fail through" in aaa profile will do then?

 

regards

 

Refer to the ArubaOS User Guide, Chapter 10 802.1x Authentication

 

Use l2-auth-fail-through command to perform mixed authentication which includes both MAC and
802.1x authentication. When MAC authentication fails, enable the l2-auth-fail-through command to
perform 802.1x authentication.

 

If this parameter is set ENABLED, if MAC authentication fails, 802.1x authentication will be performed.

 

CLI configuration:

 

aaa profile test
l2-auth-fail-through

 

 

 

 

Hi,

is this not want I do need for my problem ?

No. That option allows a device to still connect if it fails Mac authentication. The device still must support 802.1x, however.

Hi,

 

thanks for the feedback.

 

best regards

I have been able to configure this and it works as expected.  My questions is - the role being assigned is first from the MAC authentication and then overwritten from the 802.1x authentication AAA profile rules.   Is there a way to use the MAC address authentication.     I want to assign users with certain MAC addressed to a captive portal role and everyone else to the 802.1x role?

---

@hartcy wrote:

I have been able to configure this and it works as expected.  My questions is - the role being assigned is first from the MAC authentication and then overwritten from the 802.1x authentication AAA profile rules.   Is there a way to use the MAC address authentication.     I want to assign users with certain MAC addressed to a captive portal role and everyone else to the 802.1x role?

---

If you have "enable l2 passthrough" enabled, device that pass 802.1x and fail mac will get the 802.1x default role in the AAA profile.   Devices that pass both will get the MAC authentication default role in the AAA profile.

Thanks I do not see any option for "enable l2 passthrough"  in the AAA profile - where is the option applied- I searched the command reference guide and did not see any mention of this command.

It should be L2 failthrough in the AAA profile.  That would only be there if you are running ArubaOS 6.1.x and above