MAC-based Authentication. Aruba M3MK1, 7024, 7240, 620, 7280, 650, ArubaOS 6.5.3.x, 3200
Add to My manuals1162 Pages
advertisement
Chapter 10
MAC-based Authentication
This chapter describes how to configure MAC-based authentication on the Aruba controller using the WebUI.
Use MAC-based authentication to authenticate devices based on their physical media access control (MAC) address. Although this not the most secure and scalable method, MAC-based authentication implicitly provides an addition layer of security to authenticate devices. MAC-based authentication is often used to authenticate and allow network access through certain devices while denying access to the rest. For example, if clients are allowed access to the network through station A, then one method of authenticating station A is MAC-based.
Clients may be required to authenticate themselves using other methods depending on the network privileges required.
MAC-based authentication can also be used to authenticate Wi-Fi phones as an additional layer of security to prevent other devices from accessing the voice network using what is normally an insecure SSID.
This chapter describes the following topics: n n
Configuring MAC-Based Authentication on page 214
Configuring Clients on page 215
n n
Configuring MAC-Based Authentication
Before configuring MAC-based authentication, you must configure the following options:
User role—The user role that will be assigned as the default role for the MAC-based authenticated clients.
(See
Roles and Policies on page 381
for information on firewall policies to configure roles.)
Configure the default user role for MAC-based authentication in the AAA profile. If derivation rules exist or if the client configuration in the internal database has a role assigned, these values take precedence over the default user role.
Authentication server group—The authentication server group that the controller uses to validate the clients. The internal database can be used to configure the clients for MAC-based authentication. See
Configuring Clients on page 215
for information on configuring the clients on the local database. For information on configuring authentication servers and server groups, see
Authentication Servers on page
Configuring the MAC Authentication Profile
describes the parameters you can configure for MAC-based authentication.
ArubaOS 6.5.3.x
| User Guide MAC-based Authentication | 214
Table 54: MAC Authentication Profile Configuration Parameters
Parameter Description
Delimiter
Case
Max Authentication failures
Delimiter used in the MAC string: n colon specifies the format Xx:XX:XX:XX:XX:XX n n dash specifies the format XX-XX-XX-XX-XX-XX none specifies the format XXXXXXXXXXXX n oui-nic specifies the format XXXXXX:XXXXXX
Default: none
NOTE: This parameter is available for the aaa authentication-server radius command.
The case (upper or lower) used in the MAC string.
Default: lower
Number of times a station can fail to authenticate before it is blacklisted. A value of zero disables blacklisting.
Default: zero (0)
In the WebUI
1. Navigate to the Configuration > Security > Authentication > L2 Authentication page.
2. Select MAC Authentication Profile.
3. Enter a profile name and click Add .
4. Select the profile name to display configurable parameters.
5. Configure the parameters, as described in
.
6. Click Apply .
In the CLI
Execute the following command to configure a MAC authentication profile:
(host)(configure) #aaa authentication mac < profile> case {lower|upper} delimiter {colon|dash|none} max-authentication-failures <number>
Configuring Clients
You can create entries in the controller’s internal database to authenticate client MAC addresses. The internal database contains a list of clients along with the password and default role for each client. To configure entries in the internal database for MAC authentication, you enter the MAC address for both the username and password for each client.
You must enter the MAC address using the delimiter format configured in the MAC authentication profile. The default delimiter is none, which means that MAC addresses should be in the format xxxxxxxxxxxx. If you specify colons for the delimiter, you can enter MAC addresses in the format xx:xx:xx:xx:xx:xx.
In the WebUI
1. Navigate to the Configuration > Security > Authentication > Servers page.
2. Select Internal DB .
3. Click Add User in the Users section. The user configuration page displays.
215 | MAC-based Authentication ArubaOS 6.5.3.x | User Guide
4. For User Name and Password , enter the MAC address for the client. Use the format specified by the
Delimiter parameter in the MAC Authentication profile. For example, if the MAC Authentication profile specifies the default delimiter (none), enter MAC addresses in the format xxxxxxxxxxxx
.
5. Click Enabled to activate this entry on creation.
6. Click Apply .
The configuration does not take effect until you perform this step.
In the CLI
Enter the following command in enable mode:
(host)(config) #local-userdb add username < macaddr> password < macaddr> ...
ArubaOS 6.5.3.x
| User Guide MAC-based Authentication | 216
advertisement
Related manuals
advertisement