Ever wondered why you can’t use MAC authentication and get the correct username for monitoring purposes, for example? Actually, with ClearPass you can use MAC authentication with a username. You can return the correct username, not the MAC address so that monitoring applications can use this username instead of the MAC address.
Configure the Controller for MAC Authentication
I use an Aruba WLAN controller for this setup. The controller is running AOS 220.127.116.11 and is configured with a PSK-based SSID. For this scenario, I enable MAC authentication on the controller for this SSID and I use the guest database from ClearPass to authenticate the clients.
The SSID is already there and I assume you know how to create an SSID with an Aruba controller. If you have questions on creating an SSID, leave me a comment and I can help you out. To enable MAC authentication for an SSID go to “Managed Network–>Configuration–>WLANs” and select the SSID you like to change and go to the “Security” tab:
Enable MAC authentication and press the submit button. Do not forget to submit pending changes to synchronize the changes to all controller in the group.
Afterward, create the authentication profile for the SSID. Go to “Managed Network–>Configuration–>Authentication” and select the “AAA Profiles” tab. I have already a profile for my SSID. To create a new one click the “+” sign. You get the same screen as below, but with the option to change the name for the profile:
The important part is to enable “Radius interim Accounting” to get the accounting information during the session and not only at the end. Also, define the “Initial Role” and “MAC Authentication Default Role”. Even, if we override those rules from ClearPass it makes sense to use some roles with limited access rights. The initial role is used for clients which get a reject from the radius server. I will use this role, later on, to redirect unknown clients to the guest portal. Save the changes. Now select “MAC Authentication” below the profile you have created:
The important options are the “Delimiter” and the “Case”, which have to match the configuration on ClearPass and your endpoint database. For ClearPass and the guest device database, you can use the settings from the picture above.
Next is the “MAC Authentication Server Group”. Just below the entry of “MAC Authentication”. Select the “Server Group” with ClearPass. This has to be created first and I assume you know how to create an “Auth Servers” “Server Group”.
Last, but not least, do the same for “Radius Accounting Server Group”, if you need accounting.
The controller is ready to go and the next part is ClearPass.
MAC Authentication with Username using ClearPass
I use the internal guest device database from ClearPass to authenticate the clients. For the username, I use the “Device Name” field. You can use any database you like and of course use different fields for the username.
The first step is to create two profiles. The first one returns username:
This is an “Aruba Radius Enforcement Profile”. The profile returns the “Device Name” from the guest device database as the radius username. To get this information use the “GuestUser:Visitor Name” variable. And this is the trick to get visibility within MAC authentication.
The second profile overrides the role for MAC authentication:
This profile assigns the “flolan-psk” role to all users.
To bring the profiles together create a new “Enforcement Policy”:
This policy allows any client from the guest device database with the roleID of “3” and applies the two create profiles. The roleID 3 is the default “Employee” role.
To finally bring everything together, create a “Service” for the authentication:
Use the MAC authentication template for the service and define the “Service Rules” to your needs. The one above are for a wireless connection using the SSID “FloLan”. The “Authentication Source” is the “Guest Device Repository” and the method is “MAC_AUTH”. For the enforcement part, use the created policy.
The Benefit in using the guest device database, it is not consuming any licenses.
To get interim accounting information you need to enable this function on ClearPass. Go to “Administration–>Server Manager–>Server Configuration” and select your ClearPass server. Switch to the tab “Service Parameters” and select the “Radius server” as service type:
Set the red marked option to “True” and ClearPass logs interim accounting packets as well.
Now, check the monitoring part:
The screenshot above is from a successful authentication. You can see, that the username is not the MAC address.
Finally, also check AirWave:
This could make life much easier during troubleshooting. What are your experiences with MAC auth and troubleshooting? Leave a comment below and let us discuss the topic above.