Update The Password Authentication Method For Mac

This chapter describes how to configure MAC-based authentication on the Arubacontrollerusing the WebUI.

Use MAC-based authentication to authenticate devices based on their physical media access control (MAC) address. While not the most secure and scalable method, MAC-based authentication implicitly provides an addition layer of security authentication devices. MAC-based authentication is often used to authenticate and allow network access through certain devices while denying access to the rest. For example, if clients are allowed access to the network via station A, then one method of authenticating station A is MAC-based. Clients may be required to authenticate themselves using other methods depending on the network privileges required.

The system authentication scheme (labelled Windows password, Mac password or UNIX password) is typically both secure and convenient.System administrators commonly force the adoption of complex user names and passwords in enterprise environments, and users can authenticate using already-familiar credentials, and don’t have to remember yet another password.

MAC-based authentication can also be used to authenticate Wi-Fi phones as an additional layer of security to prevent other devices from accessing the voice network using what is normally an insecure SSID.

This chapter describes the following topics:

Configuring MAC-Based Authentication

Before configuring MAC-based authentication, you must configure:

  • Facerig 2d models. The user role that will be assigned as the default role for the MAC-based authenticated clients. (See Chapter 10, “Roles and Policies” for information on firewall policies to configure roles).

You configure the default user role for MAC-based authentication in the AAA profile. If derivation rules exist or if the client configuration in the internal database has a role assignment, these values take precedence over the default user role.

  • Authentication server group that thecontrolleruses to validate the clients. The internal database can be used to configure the clients for MAC-based authentication. See “Configuring Clients” for information on configuring the clients on the local database. For information on configuring authentication servers and server groups, see Chapter 8, “Authentication Servers”

Configuring the MAC Authentication Profile

Table 68 describes the parameters you can configure for MAC-based authentication.

Table 68 MAC Authentication Profile Configuration Parameters (Continued)

Parameter

Description

Delimiter

Delimiter used in the MAC string:

lcolon specifies the format xx:xx:xx:xx:xx:xx

ldash specifies the format xx-xx-xx-xx-xx-xx

lnone specifies the format xxxxxxxxxxxx

Red alert 3 uprising download mac

Default: none

Case

The case (upper or lower) used in the MAC string.

Default: lower

Max Authentication failures

Number of times a station can fail to authenticate before it is blacklisted. A value of 0 disables blacklisting.

Default: 0

Using the WebUI to configure a MAC authentication profile

1.Navigate to the Configuration >Security >Authentication > L2 Authentication page.

2.Select MAC Authentication Profile.

3.Enter a profile name and click Add.

4.Select the profile name to display configurable parameters.

5.Configure the parameters, as described in Table 68.

6.Click Apply.

Using the CLI to configure a MAC authentication profile

aaa authentication mac <profile>

case {lower upper}

delimiter {colon dash none}

max-authentication-failures <number>

Configuring Clients

You can create entries in thecontroller’s internal database that can be used to authenticate client MAC addresses. The internal database contains a list of clients along with the password and default role for each client. To configure entries in the internal database for MAC authentication, you enter the MAC address for both the user name and password for each client.

You must enter the MAC address using the delimiter format configured in the MAC authentication profile. The default delimiter is none, which means that MAC addresses should be in the format xxxxxxxxxxxx. If you specify colons for the delimiter, you can enter MAC addresses in the format xx:xx:xx:xx:xx:xx.

Using the WebUI to configure clients in the internal database

1.Navigate to the Configuration >Security >Authentication >Servers > page.

2.Select Internal DB.

3.Click Add User in the Users section. The user configuration page displays.

4.For User Name and Password, enter the MAC address for the client. Use the format specified by the Delimiter parameter in the MAC Authentication profile. For example, if the MAC Authentication profile specifies the default delimiter (none), enter MAC addresses in the format xxxxxxxxxxxx.

5.Click Enabled to activate this entry on creation.

6.Click Apply to apply the configuration.

The configuration does not take effect until you perform this step.

Using the CLI to configure clients in the internal database

Enter the following command in enable mode:

local-userdb add username <macaddr> password <macaddr>..

Chapter 16

MAC-based Authentication