Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

How to integrate MAC based RADIUS Authentication with Aruba IAP

Introduction

This guide demonstrates the authentication process of devices based on their respective physical MAC addresses using Media Access Control (MAC). Once the source MAC address is identified, the switch generates an access-request message, with the user/machine's MAC address as the identity, and sends it to the RADIUS server. The RADIUS server performs MAC authentication after getting the access-request message.

The RADIUS authentication server determines whether to grant access to the user/device and specifies the level of access the client should receive. After making this decision, the RADIUS server transmits the access-accept, allowing the user/machine to access the network.

If you are interested in setting up EAP-TLS Authentication, you can find the relevant instructions and resources at the following link: Integrating EAP-TLS Authentication with Aruba Access Points

Follow the below steps to create a VLAN in Aruba IAP and then configure Aruba IAP with SecureW2.

Creating an Identity Provider in SecureW2

Follow the below steps to create an Identity Provider in JoinNow Management Portal and configure it for MAC Authentication:

  1. Log in to the JoinNow MultiOS Management Portal.
  2. Navigate to Identity Management > Identity Providers.
  3. Click Add Identity Provider.
  4. In the Name field, enter a name for your IdP.
  5. In the Description field, enter a suitable description for your IdP.
  6. From the Type drop-down, select MAC Authentication.
  7. Click Save.
  8. The page refreshes and displays the Configuration and Groups tabs.
  9. Select the Groups tab.
  10. Click Add group.
  11. On the displayed pop-up window, in the Name field, enter a name for your group.
  12. In the Description field, enter a suitable description for your group.
  13. Click Save.
  14. Select the Configuration tab.
  15. Click Add Device.
  16. On the displayed pop-up window, in the MAC Address field, enter the MAC address of the device that you want to authenticate.
  17. From the Group Name drop-down list, select the group name you created earlier.
  18. In the Description field, enter a suitable description for your device.
  19. Click Save.
  20. Click Update.

Set up Role policy and Network policy

JoinNow Management offers policy-based management to facilitate VLAN-based segmentation. The policies to be configured are:

Creating a Role Policy

A Roles policy grants a user access to defined resources. To add a Role policy, perform the following steps:

  1. Log in to the JoinNow MultiOS Management Portal.
  2. Navigate to Policy Management > Roles Policies.
  3. Click Add Role.
  4. In the Name field, enter a name for your role policy.
  5. In the Display Description field, enter a suitable description for your role policy.
  6. Click Save.
  7. The page refreshes and the Conditions tab is displayed.
  8. Select the Conditions tab.
  9. In the Conditions section, from the Identity Provider drop-down list, select the IdP you created with the MAC Authentication type.
  10. In the Attribute/Groups section, in the Attribute field, retain ANY.
  11. In the Groups field, select the group you created earlier (refer to the Creating an Identity Provider in SecureW2 section).
  12. Click Update.

Network Policy

The purpose of a network policy is to specify how Cloud RADIUS will authorize access to a particular user role. To create and configure the Network policy, perform the following steps:

  1. Navigate to Policy Management > Network Policies.
  2. Click Add Network Policy.
  3. In the Name field, enter a name for your network policy.
  4. In the Display Description field, enter a suitable description for your network policy.
  5. Click Save.
  6. The page refreshes and displays the Conditions and Settings tabs.
  7. Select the Conditions tab.
  8. In the Conditions section, select Match All or Match Any based on your requirement to set authentication criteria.
  9. In the case explained here, we are selecting Match All.
  10. Click Add rule.
  11. Expand Identity and select the Role option.
  12. Click Save.
  13. The Role option appears under the Conditions tab.
  14. From the Role Equals drop-down list, select the role policy you created earlier (refer to the Creating a Role Policy section).
  15. Select the Settings tab.
  16. Click Add Attribute.
  17. From the Dictionary drop-down list, select an option: Radius:IETF or Custom.
  18. From the Attribute drop-down, select Filter-Id.

    NOTE: Filter-Id is created on your access point to form a VLAN range.

  19. In the Value field, enter the VLAN filter-ID you wish to connect to.
  20. Click Save.

Aruba IAP Configuration for VLAN

This section describes the steps to create a VLAN in Aruba IAP and then configure Aruba IAP with SecureW2.

Configuring Aruba IAP for MAC Authentication

This section describes the steps to configure a MAC authentication profile in Aruba IAP.

  1. On the left pane, navigate to Configuration > Authentication > L2 Authentication.
  2. Click MAC Authentication.
  3. In the MAC Authentication Profile: New Profile section, click + to create a MAC profile.
  4. In the Profile name field, enter a name for the profile.
  5. Click Submit.
  6. Select the AAA Profiles tab.
  7. Expand AAA and in the AAA Profile: New Profile section, click + to create a new profile.
  8. In the Profile name field, enter a name for the profile.
  9. Click Submit.

Configuring the RADIUS server with Aruba IAP

  1. Log in to the JoinNow MultiOS Management Portal.
  2. Navigate to RADIUS > RADIUS Configuration.
  3. Copy the Primary IP address on your console.

To configure Aruba IAP and the RADIUS server, follow the given steps.

  1. In the Aruba portal, on the left pane, navigate to Configuration > Authentication.
  2. Select the Auth Servers tab and click +.
  3. On the displayed page, in the Name field, enter a name.
  4. Click Submit.
  5. In the Server Groups section, click the group you just created.
  6. Below the Server Group section, click the + sign to add server details.
  7. On the displayed page, select the Add new server option.
  8. In the Name field, enter a name for your server.
  9. In the IP address / hostname field, enter the RADIUS IP address that you obtain from the JoinNow MultiOS Management Portal.
  10. From the Type drop-down list, select RADIUS.
  11. Click Submit.
  12. Navigate back to the AAA Profiles tab.
  13. Click the AAA profile you created earlier (refer to the Configuring Aruba IAP for MAC Authentication section).
  14. Under the selected AAA Profile, click MAC Authentication Server Group.
  15. From the Server Group drop-down list, select the server group you created.
  16. Click Submit.
  17. Navigate to Configuration > WLANs.
  18. In the WLANs section, click +.
  19. On the General tab:
    1. In the Name (ssid) field, enter a name for the SSID.
    2. For Primary usage, select the Employee option.
    3. From the Select AP Groups drop-down list, select an option. According to the option, the Broadcast on field is displayed. Select the default option.
    4. From the Forwarding Mode drop-down list, select an option.
  20. Click Next.
  21. On the VLANs tab, select your VLAN ID.
  22. Click Next.
  23. On the Security tab:
    1. Move the dial to Open.
    2. From the MAC authentication drop-down list, select Enabled.
    3. Click Next.
  24. In the Access section, select the required roles.
  25. Click Finish.
  26. Click the WLAN you created.
  27. Click Profiles.
  28. Navigate as shown below.
  29. An AAA Profile opens on the right side. From the AAA Profile drop-down list, select the AAA profile you created earlier (refer to the Configuring Aruba IAP for MAC Authentication section).
  30. Click Submit.