Wireless Access

last person joined: 13 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

mixed authentication modes on a 802.1x authenticated SSID

This thread has been viewed 6 times

  • 1.  mixed authentication modes on a 802.1x authenticated SSID

    Posted Oct 18, 2013 07:51 AM

    Running 6.1.3.6-airgroup.

     

    Hello,

     

    Anybody in the community running mixed authentication modes?

     

    I am trying to configure mixed authentication modes on a SSID which is currently 802.1x authenticated.  If I am reading the user guide correctly, I should be able to edit the aaa-profile to include a MAC authentication Profile and a MAC authentication Server Group and then enable the l2-auth-fail-through feature.  This should allow for MAC authentication on the otherwise 802.1x authenticated SSID.

     

    For the purposes of testing, I am using the internal database on the controller as the mac authe server.

     

    When I enable the MAC auth features I have mentioned above no stations can authenticate.  MAC auth does not work and the previously working 802.1x auth stops working.  I am obviously missing something. Anyone have any thoughts?

     

    Thanks in advance

     

     



  • 2.  RE: mixed authentication modes on a 802.1x authenticated SSID

    EMPLOYEE
    Posted Oct 18, 2013 07:58 AM

    For the client that is failing, type "show auth-tracebuf" to see why.

     

    When you say "mixed", you mean 802.1x with mac authentication, right?  L2 failthrough only allows clients that fail mac authentication to continue on to 802.1x authentication.  If a client fails 802.1x the client does not get on period...

     



  • 3.  RE: mixed authentication modes on a 802.1x authenticated SSID

    Posted Oct 18, 2013 08:41 AM

    Hi cjoseph,

     

    I do mean 802.1x with mac auth.  I am trying to configure the SSID so that stations will first attempt mac auth.

    If the mac auth succeeds assign role and allow station to connect.

    if mac auth fails, try 802.1x auth

    if both mac and 802.1x auth pass assign role based on 802.1x.

     

    I have configured my aaa profile like this.

     

    aaa profile "OCDSB-TEST-aaa-Profile"
    mac-server-group "internal_db"
    authentication-mac "OCDSB-TEST-MAC-Profile"
    authentication-dot1x "OCDSB-TEST-dot1x-profile"
    dot1x-default-role "authenticated"
    dot1x-server-group "OCDSB-CPPM-server-group"
    no wired-to-wireless-roam
    enforce-dhcp
    l2-auth-fail-through

     

    I think what I may be missing is in the SSID configuration which is as follows.

     

    wlan ssid-profile "OCDSB-TEST-ssid-prof"
    essid "OCDSBTEST"
    opmode wpa2-aes


    so this leaves me with a vap-profile like...

     

    wlan virtual-ap "OCDSB_TEST-vap-profile"
    aaa-profile "OCDSB-TEST-aaa-profile"
    ssid-profile "OCDSB-TEST-ssid-prof"
    vlan 100
    blacklist-time 1800
    auth-failure-blacklist-time 600
    band-steering



  • 4.  RE: mixed authentication modes on a 802.1x authenticated SSID

    Posted Oct 18, 2013 09:12 AM
    @tpelley wrote:

     

    If the mac auth succeeds assign role and allow station to connect.

    The above statement is not possible.   If it is a wpa2 network, 802.1X has to pass; you cannot bypass 802.1X on a wireless network using WPA2 Enterprise.

     

    Also, in your code snippet, I don't see any mac-default-role defined, are you just using the default guest?



  • 5.  RE: mixed authentication modes on a 802.1x authenticated SSID

    Posted Oct 18, 2013 09:40 AM
      |   view attached

    clembo,

     

    Thanks for your input.

    yes my mac authentication default mode is guest.

     

    your statement seems to confirm my suspicion that i have misconfigured the ssid profile. 

    I want to enable both mac auth and 802.1x on the same ssid.  the implication in the 6.1 userguide is that this is possible.

    I am referring to table 58 on page 323 of the guide.  I attached a copy of that specific page.

     

    I am thinking I need to enable mixed mode on the ssid.

    Attachment(s)

    pdf
    Pg323.pdf   51 KB 1 version


  • 6.  RE: mixed authentication modes on a 802.1x authenticated SSID

    Posted Jan 06, 2014 11:40 AM

    tpelley did you get this to work?

     

    so only mac auth on a wpa2 enterprise SSID? dot1x not even requested.



  • 7.  RE: mixed authentication modes on a 802.1x authenticated SSID

    Posted Jan 06, 2014 04:35 PM
    @tpelley wrote:

    I am thinking I need to enable mixed mode on the ssid.

    I believe you are confusing things there, the document talks about mixed authentication modes. the mixed mode on ssid profile is about mixing different types of wireless security.

     

    i found another thread where cjoseph says that the combination of mac or dot1x cant be used with only mac on wpa2:

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/MAC-Authentication-on-WPA2-secured-SSID/td-p/25570

     

    that table confused people before:

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Security-in-mixed-authentication-modes-environment/td-p/33562

     

    would be nice if aruba could clear it up and explain the use of it.

     



  • 8.  RE: mixed authentication modes on a 802.1x authenticated SSID

    Posted Oct 18, 2013 08:00 AM
    In the MAC auth profile, what delimiter and case did you use? Typically, you would use "none" and "lower" and put the mac address in the DB like "00112233aabbcc".


  • 9.  RE: mixed authentication modes on a 802.1x authenticated SSID

    Posted Oct 18, 2013 08:43 AM

    thanks olino,

     

    my mac auth profile is configured exactly as youshow it.