Aruba Apps

hello, I have 70 APs and 1 controller. I don't know much about how to whitelist to manage macs on the network. I would appreciate if you could help.

------------------------------
İbrahim Kutlu
------------------------------

Ibrahim, we would need more info to be able to assist.

How is the SSID that the Macs should be connecting to configured, ie what security mechanism/protocol? Since you mentioned allow listing, is this a PSK secured network, or simply performing mac-authentication?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Feb 21, 2022 08:02 AM
From: İbrahim Kutlu
Subject: white list

hello, I have 70 APs and 1 controller. I don't know much about how to whitelist to manage macs on the network. I would appreciate if you could help.

------------------------------
İbrahim Kutlu
------------------------------

Actually, I work at the hospital. There is a domain in my production. There are dhcp servers in it. There are 70 AP and one 7205 controls. Especially after rooting the mobile phones, it is not possible to block macs via dhcp server. I want macs defined via controlur to be included in the network. Undefined macs cannot connect to wifi .

------------------------------
İbrahim Kutlu
------------------------------

Original Message:
Sent: Feb 22, 2022 10:46 AM
From: Charlie Clemmer
Subject: white list

Ibrahim, we would need more info to be able to assist.

How is the SSID that the Macs should be connecting to configured, ie what security mechanism/protocol? Since you mentioned allow listing, is this a PSK secured network, or simply performing mac-authentication?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Feb 21, 2022 08:02 AM
From: İbrahim Kutlu
Subject: white list

hello, I have 70 APs and 1 controller. I don't know much about how to whitelist to manage macs on the network. I would appreciate if you could help.

------------------------------
İbrahim Kutlu
------------------------------

Thanks for the extra clarification. I incorrectly presumed you used "mac" in reference to macOS devices rather than security by mac address.

First point for mac address based filtering/allow-listing: as a mechanism that can be easily bypassed, the adminsitrative effort typically outweighs the benefit of implementing such a solution. Recommended approaches would instead be to strengthen the authentication to utilize something like non-exportable certificates on the devices in combination with device profiling in order to trigger notification if/when a credential is compromised and used on a device other than what it was expected to associated with. This would typically require an additional service such as ClearPass and/or a 3rd party MDM (Mobile Device Manager) for handling the approved device configuration.

For the functionality you've inquired about, the feature to be added to your SSID(s) is "mac authentication". The mac auth can be performed against the controller's built-in user database in order to not require any additional hardware. The approved mac-addresses would be added to the user database, with the approved mac-address being both the username and the password for the device. The approved devices should be mapped to the appropriate user role that approved devices should have. The default role for the SSID/wlan may be changed to something more restrictive, so that any user that is not successfully authenticated via mac-auth is left with minimal access to the SSID.

To provide more detailed assistance on the configuration beyond the high level flow above, please provide the AOS firmware version currently running on the 7205 as well as any specific questions you have after reading the above.



------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Feb 22, 2022 12:40 PM
From: İbrahim Kutlu
Subject: white list

Actually, I work at the hospital. There is a domain in my production. There are dhcp servers in it. There are 70 AP and one 7205 controls. Especially after rooting the mobile phones, it is not possible to block macs via dhcp server. I want macs defined via controlur to be included in the network. Undefined macs cannot connect to wifi .

------------------------------
İbrahim Kutlu

Original Message:
Sent: Feb 22, 2022 10:46 AM
From: Charlie Clemmer
Subject: white list

Ibrahim, we would need more info to be able to assist.

How is the SSID that the Macs should be connecting to configured, ie what security mechanism/protocol? Since you mentioned allow listing, is this a PSK secured network, or simply performing mac-authentication?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Feb 21, 2022 08:02 AM
From: İbrahim Kutlu
Subject: white list

hello, I have 70 APs and 1 controller. I don't know much about how to whitelist to manage macs on the network. I would appreciate if you could help.

------------------------------
İbrahim Kutlu
------------------------------

------------------ ------------
------------------------------------------ -----
Orijinal Mesaj:
Gönderildi: 22 Şubat 2022 13:00
Kimden: Charlie Clemmer
Konu: beyaz liste

Ekstra açıklama için teşekkürler. Yanlışlıkla mac adresine göre güvenlik yerine macOS cihazlarına atıfta bulunarak "mac" kullandığınızı varsaydım.

Mac adresi tabanlı filtreleme/izin verilen listeleme için ilk nokta: kolayca atlanabilen bir mekanizma olarak, idari çaba tipik olarak böyle bir çözümü uygulamanın yararına ağır basar. Bunun yerine önerilen yaklaşımlar, bir kimlik bilgisinin ele geçirilmesi ve ilişkilendirilmesi beklenenden farklı bir cihazda kullanılması durumunda/olduğunda bildirimi tetiklemek için cihaz profili oluşturma ile birlikte cihazlarda dışa aktarılamayan sertifikalar gibi bir şeyi kullanmak için kimlik doğrulamasını güçlendirmek olacaktır. ile birlikte. Bu genellikle, onaylanmış cihaz yapılandırmasını işlemek için ClearPass ve/veya bir 3. taraf MDM (Mobil Cihaz Yöneticisi) gibi ek bir hizmet gerektirir.

Sorduğunuz işlevsellik için SSID'lerinize eklenecek özellik "mac kimlik doğrulaması"dır. Mac kimlik doğrulaması, herhangi bir ek donanım gerektirmemek için denetleyicinin yerleşik kullanıcı veritabanına karşı gerçekleştirilebilir. Onaylanan mac adresleri, onaylanan mac adresi cihazın hem kullanıcı adı hem de parolası olacak şekilde kullanıcı veritabanına eklenecektir. Onaylanan cihazlar, onaylanmış cihazların sahip olması gereken uygun kullanıcı rolüyle eşleştirilmelidir. SSID/wlan'ın varsayılan rolü daha kısıtlayıcı bir şeyle değiştirilebilir, böylece mac-auth aracılığıyla kimliği başarıyla doğrulanmayan herhangi bir kullanıcı SSID'ye minimum erişime sahip olur.

Yukarıdaki yüksek seviyeli akışın ötesinde yapılandırma hakkında daha ayrıntılı yardım sağlamak için, lütfen şu anda 7205'te çalışan AOS donanım yazılımı sürümünü ve yukarıdakileri okuduktan sonra tüm sorularınızı belirtin.



------------------------------
Burada ifade edilen görüşler yalnızca bana aittir ve Hewlett Packard Enterprise veya Aruba Networks'e ait olması şart değildir.
------------------------------

Orijinal Mesaj:
Gönderildi: 22 Şubat 2022 12:40
Gönderen: İbrahim Kutlu
Konu: white liste

Aslında hastanede çalışıyorum. Üretimimde bir etki alanı var. İçinde dhcp sunucuları var. 70 AP ve bir 7205 kontrol var. Özellikle cep telefonlarını rootladıktan sonra dhcp sunucusu üzerinden mac'leri engellemek mümkün değildir. Controlur aracılığıyla tanımlanan mac'lerin ağa dahil edilmesini istiyorum. Tanımsız mac'ler wifi'ye bağlanamaz.

------------------------------
İbrahim Kutlu

Orijinal Mesaj:
Gönderildi: 22 Şubat 2022 10:46
Kimden: Charlie Clemmer
Konu : beyaz liste

İbrahim, yardımcı olabilmek için daha fazla bilgiye ihtiyacımız var.

Mac'lerin bağlanması gereken SSID nasıl yapılandırılır, yani hangi güvenlik mekanizması/protokolü? Listelemeye izin verdiğinizden beri, bu PSK güvenli bir ağ mı yoksa sadece mac kimlik doğrulaması mı yapıyor?

------------------------------
Burada ifade edilen görüşler yalnızca bana aittir ve Hewlett Packard Enterprise veya Aruba Networks'e ait olması şart değildir.

Orijinal Mesaj:
Gönderildi: 21 Şubat 2022 08:02
Kimden: İbrahim Kutlu
Konu: beyaz liste

merhaba, 70 AP'im ve 1 controller'ım var. Ağdaki mac'leri yönetmek için nasıl beyaz listeye alınacağı hakkında fazla bir şey bilmiyorum. yardımcı olabilirseniz sevinirim.

----------------------------------
İbrahim Kutlu
------------------ ------------

product version 6.5.4.7 Well, how do I do the mac identity query, I would appreciate it if you could give me some information about it, and can I solve it without constantly entering a username and password on every pc and phone?

------------------------------
İbrahim Kutlu
------------------------------

Original Message:
Sent: Feb 22, 2022 01:00 PM
From: Charlie Clemmer
Subject: white list

Thanks for the extra clarification. I incorrectly presumed you used "mac" in reference to macOS devices rather than security by mac address.

First point for mac address based filtering/allow-listing: as a mechanism that can be easily bypassed, the adminsitrative effort typically outweighs the benefit of implementing such a solution. Recommended approaches would instead be to strengthen the authentication to utilize something like non-exportable certificates on the devices in combination with device profiling in order to trigger notification if/when a credential is compromised and used on a device other than what it was expected to associated with. This would typically require an additional service such as ClearPass and/or a 3rd party MDM (Mobile Device Manager) for handling the approved device configuration.

For the functionality you've inquired about, the feature to be added to your SSID(s) is "mac authentication". The mac auth can be performed against the controller's built-in user database in order to not require any additional hardware. The approved mac-addresses would be added to the user database, with the approved mac-address being both the username and the password for the device. The approved devices should be mapped to the appropriate user role that approved devices should have. The default role for the SSID/wlan may be changed to something more restrictive, so that any user that is not successfully authenticated via mac-auth is left with minimal access to the SSID.

To provide more detailed assistance on the configuration beyond the high level flow above, please provide the AOS firmware version currently running on the 7205 as well as any specific questions you have after reading the above.



------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Feb 22, 2022 12:40 PM
From: İbrahim Kutlu
Subject: white list

Actually, I work at the hospital. There is a domain in my production. There are dhcp servers in it. There are 70 AP and one 7205 controls. Especially after rooting the mobile phones, it is not possible to block macs via dhcp server. I want macs defined via controlur to be included in the network. Undefined macs cannot connect to wifi .

------------------------------
İbrahim Kutlu

Original Message:
Sent: Feb 22, 2022 10:46 AM
From: Charlie Clemmer
Subject: white list

Ibrahim, we would need more info to be able to assist.

How is the SSID that the Macs should be connecting to configured, ie what security mechanism/protocol? Since you mentioned allow listing, is this a PSK secured network, or simply performing mac-authentication?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Feb 21, 2022 08:02 AM
From: İbrahim Kutlu
Subject: white list

hello, I have 70 APs and 1 controller. I don't know much about how to whitelist to manage macs on the network. I would appreciate if you could help.

------------------------------
İbrahim Kutlu
------------------------------