Cloud Managed Networks

Hello,

I want to create a SSID that is open (no PSK or certificate) and blocking all MAC addresses except the ones I whitelist.
We're using 615s in Aruba Central.

I see an option for MAC address deny listing in Device > SSID name > Security > Advanced > MAC Authentication and Deny listing but no option for whitelisting.

How do I set up a whitelist to allow certain devices to connect to a SSID but block all others no on the whitelist?

Thank you. 

Under the same Advanced Settings you can select the "Primary Server" and set your Radius server and then add the Mac-addresses that you want to allow. An External server is an option but If you utilize the "IntenralServer" then you would just add the users by selecting the "Manage Users" link and add the user with the mac-add being the username and password. If you select Cloud Auth you can then add the mac-addresses under the Global-> Security->Authentication & Policy->Config->Manage MAC Registration

Hello,

I want to create a SSID that is open (no PSK or certificate) and blocking all MAC addresses except the ones I whitelist.
We're using 615s in Aruba Central.

I see an option for MAC address deny listing in Device > SSID name > Security > Advanced > MAC Authentication and Deny listing but no option for whitelisting.

How do I set up a whitelist to allow certain devices to connect to a SSID but block all others no on the whitelist?

Thank you. 

Hi JPuck,

Am I understanding the 2 options correctly?
1 - Use an internal Radius server (eg). Microsoft NPS server. In this scenario, I would have to add entries for each MAC address on the NPS server.

2 - Use an idP (eg) Azure Entra. I'd have to add the MAC addresses in Entra.

Is there no option to just do the list on the Aruba Central cloud controller?

Thank you.

Under the same Advanced Settings you can select the "Primary Server" and set your Radius server and then add the Mac-addresses that you want to allow. An External server is an option but If you utilize the "IntenralServer" then you would just add the users by selecting the "Manage Users" link and add the user with the mac-add being the username and password. If you select Cloud Auth you can then add the mac-addresses under the Global-> Security->Authentication & Policy->Config->Manage MAC Registration

Hello,

I want to create a SSID that is open (no PSK or certificate) and blocking all MAC addresses except the ones I whitelist.
We're using 615s in Aruba Central.

I see an option for MAC address deny listing in Device > SSID name > Security > Advanced > MAC Authentication and Deny listing but no option for whitelisting.

How do I set up a whitelist to allow certain devices to connect to a SSID but block all others no on the whitelist?

Thank you. 

I apologize for the confusion. There are 2 options for this that don't require an external radius server. 

1.  You can input the mac-addresses local to the AP's. Username and pwd of the user is the mac-address. Type has to be Employee. I've attached mac-auth-internal and mac-auth-internal2 images to show this config. 

2. You can utilize CloudAuth. While this is part of the CloudAuth feature set within Central it is seperate than the Entra/Google setup. You can just add the mac-address and assign a username to the mac-address. I've attached 2 files mac-auth-cloudauth and mac-auth-cloudauth2 showing this setup. 

Original Message:
Sent: May 21, 2024 10:29 PM
From: Elliot
Subject: Aruba Central - SSID MAC whitelisting

Hi JPuck,

Am I understanding the 2 options correctly?
1 - Use an internal Radius server (eg). Microsoft NPS server. In this scenario, I would have to add entries for each MAC address on the NPS server.

2 - Use an idP (eg) Azure Entra. I'd have to add the MAC addresses in Entra.

Is there no option to just do the list on the Aruba Central cloud controller?

Thank you.

Original Message:
Sent: May 21, 2024 09:10 AM
From: JPuck
Subject: Aruba Central - SSID MAC whitelisting

Under the same Advanced Settings you can select the "Primary Server" and set your Radius server and then add the Mac-addresses that you want to allow. An External server is an option but If you utilize the "IntenralServer" then you would just add the users by selecting the "Manage Users" link and add the user with the mac-add being the username and password. If you select Cloud Auth you can then add the mac-addresses under the Global-> Security->Authentication & Policy->Config->Manage MAC Registration

Original Message:
Sent: May 19, 2024 07:13 PM
From: Elliot
Subject: Aruba Central - SSID MAC whitelisting

Hello,

I want to create a SSID that is open (no PSK or certificate) and blocking all MAC addresses except the ones I whitelist.
We're using 615s in Aruba Central.

I see an option for MAC address deny listing in Device > SSID name > Security > Advanced > MAC Authentication and Deny listing but no option for whitelisting.

How do I set up a whitelist to allow certain devices to connect to a SSID but block all others no on the whitelist?

Thank you. 

Hi JPuck,

Thanks for your help thus far.

Issue I'm seeing is in my environment, I don't have 'InternalServer' as an option. Just Cloud Auth and our Microsoft NPS servers.
I tried the + symbol to add a server but they all require an IP address.

See my attachment.

Thank you

I apologize for the confusion. There are 2 options for this that don't require an external radius server. 

1.  You can input the mac-addresses local to the AP's. Username and pwd of the user is the mac-address. Type has to be Employee. I've attached mac-auth-internal and mac-auth-internal2 images to show this config. 

2. You can utilize CloudAuth. While this is part of the CloudAuth feature set within Central it is seperate than the Entra/Google setup. You can just add the mac-address and assign a username to the mac-address. I've attached 2 files mac-auth-cloudauth and mac-auth-cloudauth2 showing this setup. 

Hi JPuck,

Am I understanding the 2 options correctly?
1 - Use an internal Radius server (eg). Microsoft NPS server. In this scenario, I would have to add entries for each MAC address on the NPS server.

2 - Use an idP (eg) Azure Entra. I'd have to add the MAC addresses in Entra.

Is there no option to just do the list on the Aruba Central cloud controller?

Thank you.

Under the same Advanced Settings you can select the "Primary Server" and set your Radius server and then add the Mac-addresses that you want to allow. An External server is an option but If you utilize the "IntenralServer" then you would just add the users by selecting the "Manage Users" link and add the user with the mac-add being the username and password. If you select Cloud Auth you can then add the mac-addresses under the Global-> Security->Authentication & Policy->Config->Manage MAC Registration

Hello,

I want to create a SSID that is open (no PSK or certificate) and blocking all MAC addresses except the ones I whitelist.
We're using 615s in Aruba Central.

I see an option for MAC address deny listing in Device > SSID name > Security > Advanced > MAC Authentication and Deny listing but no option for whitelisting.

How do I set up a whitelist to allow certain devices to connect to a SSID but block all others no on the whitelist?

Thank you. 

I didn't realize you were running AOS10. AOS10 won't have the "internal server" option like AOS8. With AOS10 the only Central Only option you would have is to use CloudAuth which I prefer as it allows you to assign a user to the mac-address to help with client identification. Select "CloudAuth" and then just add your mac-addresses in Cloud Auth. This can be done via a CSV file or input one mac-addres at a time. 

Original Message:
Sent: May 21, 2024 11:35 PM
From: Elliot
Subject: Aruba Central - SSID MAC whitelisting

Hi JPuck,

Thanks for your help thus far.

Issue I'm seeing is in my environment, I don't have 'InternalServer' as an option. Just Cloud Auth and our Microsoft NPS servers.
I tried the + symbol to add a server but they all require an IP address.

See my attachment.

Thank you

Original Message:
Sent: May 21, 2024 10:51 PM
From: JPuck
Subject: Aruba Central - SSID MAC whitelisting

I apologize for the confusion. There are 2 options for this that don't require an external radius server. 

1.  You can input the mac-addresses local to the AP's. Username and pwd of the user is the mac-address. Type has to be Employee. I've attached mac-auth-internal and mac-auth-internal2 images to show this config. 

2. You can utilize CloudAuth. While this is part of the CloudAuth feature set within Central it is seperate than the Entra/Google setup. You can just add the mac-address and assign a username to the mac-address. I've attached 2 files mac-auth-cloudauth and mac-auth-cloudauth2 showing this setup. 

Original Message:
Sent: May 21, 2024 10:29 PM
From: Elliot
Subject: Aruba Central - SSID MAC whitelisting

Hi JPuck,

Am I understanding the 2 options correctly?
1 - Use an internal Radius server (eg). Microsoft NPS server. In this scenario, I would have to add entries for each MAC address on the NPS server.

2 - Use an idP (eg) Azure Entra. I'd have to add the MAC addresses in Entra.

Is there no option to just do the list on the Aruba Central cloud controller?

Thank you.

Original Message:
Sent: May 21, 2024 09:10 AM
From: JPuck
Subject: Aruba Central - SSID MAC whitelisting

Under the same Advanced Settings you can select the "Primary Server" and set your Radius server and then add the Mac-addresses that you want to allow. An External server is an option but If you utilize the "IntenralServer" then you would just add the users by selecting the "Manage Users" link and add the user with the mac-add being the username and password. If you select Cloud Auth you can then add the mac-addresses under the Global-> Security->Authentication & Policy->Config->Manage MAC Registration

Original Message:
Sent: May 19, 2024 07:13 PM
From: Elliot
Subject: Aruba Central - SSID MAC whitelisting

Hello,

I want to create a SSID that is open (no PSK or certificate) and blocking all MAC addresses except the ones I whitelist.
We're using 615s in Aruba Central.

I see an option for MAC address deny listing in Device > SSID name > Security > Advanced > MAC Authentication and Deny listing but no option for whitelisting.

How do I set up a whitelist to allow certain devices to connect to a SSID but block all others no on the whitelist?

Thank you. 

I've selected CloudAuth.

Now when I go back to Global > Security > Authentication & Policy > Config > Manage MAC registrations.
I can add a MAC address, but I get 'No client role has been selected for default rule, all MAC-based auths will be denied. Go to client policy for more details. (see attachment 1).

I tried to then go into 'Client Access Policy' to configure a client role as in the guide (Configuring the Global Client Roles (arubanetworks.com)) but there's no Client Roles tab (see attachment 2).

Thank you 

I didn't realize you were running AOS10. AOS10 won't have the "internal server" option like AOS8. With AOS10 the only Central Only option you would have is to use CloudAuth which I prefer as it allows you to assign a user to the mac-address to help with client identification. Select "CloudAuth" and then just add your mac-addresses in Cloud Auth. This can be done via a CSV file or input one mac-addres at a time. 

Hi JPuck,

Thanks for your help thus far.

Issue I'm seeing is in my environment, I don't have 'InternalServer' as an option. Just Cloud Auth and our Microsoft NPS servers.
I tried the + symbol to add a server but they all require an IP address.

See my attachment.

Thank you

I apologize for the confusion. There are 2 options for this that don't require an external radius server. 

1.  You can input the mac-addresses local to the AP's. Username and pwd of the user is the mac-address. Type has to be Employee. I've attached mac-auth-internal and mac-auth-internal2 images to show this config. 

2. You can utilize CloudAuth. While this is part of the CloudAuth feature set within Central it is seperate than the Entra/Google setup. You can just add the mac-address and assign a username to the mac-address. I've attached 2 files mac-auth-cloudauth and mac-auth-cloudauth2 showing this setup. 

Hi JPuck,

Am I understanding the 2 options correctly?
1 - Use an internal Radius server (eg). Microsoft NPS server. In this scenario, I would have to add entries for each MAC address on the NPS server.

2 - Use an idP (eg) Azure Entra. I'd have to add the MAC addresses in Entra.

Is there no option to just do the list on the Aruba Central cloud controller?

Thank you.

Under the same Advanced Settings you can select the "Primary Server" and set your Radius server and then add the Mac-addresses that you want to allow. An External server is an option but If you utilize the "IntenralServer" then you would just add the users by selecting the "Manage Users" link and add the user with the mac-add being the username and password. If you select Cloud Auth you can then add the mac-addresses under the Global-> Security->Authentication & Policy->Config->Manage MAC Registration

Hello,

I want to create a SSID that is open (no PSK or certificate) and blocking all MAC addresses except the ones I whitelist.
We're using 615s in Aruba Central.

I see an option for MAC address deny listing in Device > SSID name > Security > Advanced > MAC Authentication and Deny listing but no option for whitelisting.

How do I set up a whitelist to allow certain devices to connect to a SSID but block all others no on the whitelist?

Thank you. 

You are at the correct area. You just need to select a client role for the "unspecified" and that will be the default role.  If your desired role isn't in the list you can create one in the Security/Roles configuration section.

I've selected CloudAuth.

Now when I go back to Global > Security > Authentication & Policy > Config > Manage MAC registrations.
I can add a MAC address, but I get 'No client role has been selected for default rule, all MAC-based auths will be denied. Go to client policy for more details. (see attachment 1).

I tried to then go into 'Client Access Policy' to configure a client role as in the guide (Configuring the Global Client Roles (arubanetworks.com)) but there's no Client Roles tab (see attachment 2).

Thank you 

I didn't realize you were running AOS10. AOS10 won't have the "internal server" option like AOS8. With AOS10 the only Central Only option you would have is to use CloudAuth which I prefer as it allows you to assign a user to the mac-address to help with client identification. Select "CloudAuth" and then just add your mac-addresses in Cloud Auth. This can be done via a CSV file or input one mac-addres at a time. 

Hi JPuck,

Thanks for your help thus far.

Issue I'm seeing is in my environment, I don't have 'InternalServer' as an option. Just Cloud Auth and our Microsoft NPS servers.
I tried the + symbol to add a server but they all require an IP address.

See my attachment.

Thank you

I apologize for the confusion. There are 2 options for this that don't require an external radius server. 

1.  You can input the mac-addresses local to the AP's. Username and pwd of the user is the mac-address. Type has to be Employee. I've attached mac-auth-internal and mac-auth-internal2 images to show this config. 

2. You can utilize CloudAuth. While this is part of the CloudAuth feature set within Central it is seperate than the Entra/Google setup. You can just add the mac-address and assign a username to the mac-address. I've attached 2 files mac-auth-cloudauth and mac-auth-cloudauth2 showing this setup. 

Hi JPuck,

Am I understanding the 2 options correctly?
1 - Use an internal Radius server (eg). Microsoft NPS server. In this scenario, I would have to add entries for each MAC address on the NPS server.

2 - Use an idP (eg) Azure Entra. I'd have to add the MAC addresses in Entra.

Is there no option to just do the list on the Aruba Central cloud controller?

Thank you.

Under the same Advanced Settings you can select the "Primary Server" and set your Radius server and then add the Mac-addresses that you want to allow. An External server is an option but If you utilize the "IntenralServer" then you would just add the users by selecting the "Manage Users" link and add the user with the mac-add being the username and password. If you select Cloud Auth you can then add the mac-addresses under the Global-> Security->Authentication & Policy->Config->Manage MAC Registration

Hello,

I want to create a SSID that is open (no PSK or certificate) and blocking all MAC addresses except the ones I whitelist.
We're using 615s in Aruba Central.

I see an option for MAC address deny listing in Device > SSID name > Security > Advanced > MAC Authentication and Deny listing but no option for whitelisting.

How do I set up a whitelist to allow certain devices to connect to a SSID but block all others no on the whitelist?

Thank you.