This chapter describes how to configure MAC-based authentication on the Arubacontrollerusing the WebUI.

RADIUS change of authorization (CoA) allows a RADIUS server to dynamically instruct the switch to alter an existing session. Cisco Catalyst switches support four actions for CoA: reauthenticate, terminate, port shutdown, and port bounce. 8 Chapter 1 Getting Started Setting Up Your MacBook Your MacBook is designed so that you can set it up quickly and start using it right away. The following pages take you through the setup process, including these tasks.

Use MAC-based authentication to authenticate devices based on their physical media access control (MAC) address. While not the most secure and scalable method, MAC-based authentication implicitly provides an addition layer of security authentication devices. MAC-based authentication is often used to authenticate and allow network access through certain devices while denying access to the rest. For example, if clients are allowed access to the network via station A, then one method of authenticating station A is MAC-based. Clients may be required to authenticate themselves using other methods depending on the network privileges required.

MAC-based authentication can also be used to authenticate Wi-Fi phones as an additional layer of security to prevent other devices from accessing the voice network using what is normally an insecure SSID.

This chapter describes the following topics:

Configuring MAC-Based Authentication

Before configuring MAC-based authentication, you must configure:

• The user role that will be assigned as the default role for the MAC-based authenticated clients. (See Chapter 10, “Roles and Policies” for information on firewall policies to configure roles).

You configure the default user role for MAC-based authentication in the AAA profile. If derivation rules exist or if the client configuration in the internal database has a role assignment, these values take precedence over the default user role.

• Authentication server group that thecontrolleruses to validate the clients. The internal database can be used to configure the clients for MAC-based authentication. See “Configuring Clients” for information on configuring the clients on the local database. For information on configuring authentication servers and server groups, see Chapter 8, “Authentication Servers”

Configuring the MAC Authentication Profile

Table 68 describes the parameters you can configure for MAC-based authentication.

Using the WebUI to configure a MAC authentication profile

1.Navigate to the Configuration >Security >Authentication > L2 Authentication page.

2.Select MAC Authentication Profile.

3.Enter a profile name and click Add.

Manual Mac Authorization App

4.Select the profile name to display configurable parameters.

5.Configure the parameters, as described in Table 68.

6.Click Apply.

Using the CLI to configure a MAC authentication profile

aaa authentication mac <profile>

case {lower|upper}

delimiter {colon|dash|none}

max-authentication-failures <number>

Configuring Clients

You can create entries in thecontroller’s internal database that can be used to authenticate client MAC addresses. The internal database contains a list of clients along with the password and default role for each client. To configure entries in the internal database for MAC authentication, you enter the MAC address for both the user name and password for each client.

Using the WebUI to configure clients in the internal database

1.Navigate to the Configuration >Security >Authentication >Servers > page.

2.Select Internal DB.

3.Click Add User in the Users section. The user configuration page displays.

4.For User Name and Password, enter the MAC address for the client. Use the format specified by the Delimiter parameter in the MAC Authentication profile. For example, if the MAC Authentication profile specifies the default delimiter (none), enter MAC addresses in the format xxxxxxxxxxxx.

Manual Mac Authorization Form

5.Click Enabled to activate this entry on creation.

6.Click Apply to apply the configuration.

Using the CLI to configure clients in the internal database

Enter the following command in enable mode:

local-userdb add username <macaddr> password <macaddr>...

Chapter 16

MAC-based Authentication

• CallingID/MAC authentication

CallingID/MAC authentication

To enable authentication based on clients CallingID or MAC address you must set service optionCalling ID login to yes and set service username to verbatim value found in CallingID/MAC field of authentication logs and service history.

Depending on service type, CallingID/MAC field may hold MAC address of WiFi device, IP address of PPPoE/VPNclient machine or some other value. You have to test it by making initial authentication attempt and checkingit in logs.

Manual Mac Authorization Software

Service is looked up and authenticated only based by CallingID/MAC field. Service password is ignored.

Manual Mac Authorization Download

Keep in mind that this kind of authentication doesn't provide security as many devices allow users to change its MAC address easily.