MAC Authentication with Username using ClearPass

Reading Time: 5 minutes

Ever wondered why you can’t use MAC authentication and get the correct username for monitoring purposes, for example? Actually, with ClearPass you can use MAC authentication with a username. You can return the correct username, not the MAC address so that monitoring applications can use this username instead of the MAC address.

Configure the Controller for MAC Authentication

I use an Aruba WLAN controller for this setup. The controller is running AOS 8.0.1.0 and is configured with a PSK-based SSID. For this scenario, I enable MAC authentication on the controller for this SSID and I use the guest database from ClearPass to authenticate the clients.

The SSID is already there and I assume you know how to create an SSID with an Aruba controller. If you have questions on creating an SSID, leave me a comment and I can help you out. To enable MAC authentication for an SSID go to “Managed Network–>Configuration–>WLANs” and select the SSID you like to change and go to the “Security” tab:

Mac Authentication with Username - Enable Mac Authentication For SSID
Mac Authentication with Username – Enable Mac Authentication For SSID

Enable MAC authentication and press the submit button. Do not forget to submit pending changes to synchronize the changes to all controller in the group.

Afterward, create the authentication profile for the SSID. Go to “Managed Network–>Configuration–>Authentication” and select the “AAA Profiles” tab. I have already a profile for my SSID. To create a new one click the “+” sign. You get the same screen as below, but with the option to change the name for the profile:

Mac Authentication with Username - Create Authentication Profile
Mac Authentication with Username – Create Authentication Profile

The important part is to enable “Radius interim Accounting” to get the accounting information during the session and not only at the end. Also, define the “Initial Role” and “MAC Authentication Default Role”. Even, if we override those rules from ClearPass it makes sense to use some roles with limited access rights. The initial role is used for clients which get a reject from the radius server. I will use this role, later on, to redirect unknown clients to the guest portal. Save the changes. Now select “MAC Authentication” below the profile you have created:

Mac Authentication with Username - Create MAC Authentication Profile
Mac Authentication with Username – Create MAC Authentication Profile

The important options are the “Delimiter” and the “Case”, which have to match the configuration on ClearPass and your endpoint database. For ClearPass and the guest device database, you can use the settings from the picture above.

Next is the “MAC Authentication Server Group”. Just below the entry of “MAC Authentication”. Select the “Server Group” with ClearPass. This has to be created first and I assume you know how to create an “Auth Servers” “Server Group”.

Last, but not least, do the same for “Radius Accounting Server Group”, if you need accounting.

The controller is ready to go and the next part is ClearPass.

MAC Authentication with Username using ClearPass

I use the internal guest device database from ClearPass to authenticate the clients. For the username, I use the “Device Name” field. You can use any database you like and of course use different fields for the username.

The first step is to create two profiles. The first one returns username:

Mac Authentication with Username - Create Profile for Username
Mac Authentication with Username – Create Profile for Username

This is an “Aruba Radius Enforcement Profile”. The profile returns the “Device Name” from the guest device database as the radius username. To get this information use the “GuestUser:Visitor Name” variable. And this is the trick to get visibility within MAC authentication.

The second profile overrides the role for MAC authentication:

Mac Authentication with Username - Create Profile for Role
Mac Authentication with Username – Create Profile for Role

This profile assigns the “flolan-psk” role to all users.

To bring the profiles together create a new “Enforcement Policy”:

Mac Authentication with Username - Create Enforment Policy
Mac Authentication with Username – Create Enforcement Policy

This policy allows any client from the guest device database with the roleID of “3” and applies the two create profiles. The roleID 3 is the default “Employee” role.

To finally bring everything together, create a “Service” for the authentication:

Mac Authentication with Username - Create Service
Mac Authentication with Username – Create Service

Use the MAC authentication template for the service and define the “Service Rules” to your needs. The one above are for a wireless connection using the SSID “FloLan”. The “Authentication Source” is the “Guest Device Repository” and the method is “MAC_AUTH”. For the enforcement part, use the created policy.

The Benefit in using the guest device database, it is not consuming any licenses.

To get interim accounting information you need to enable this function on ClearPass. Go to “Administration–>Server Manager–>Server Configuration” and select your ClearPass server. Switch to the tab “Service Parameters” and select the “Radius server” as service type:

Mac Authentication with Username - Configure ClearPass for Interim Accounting
Mac Authentication with Username – Configure ClearPass for Interim Accounting

Set the red marked option to “True” and ClearPass logs interim accounting packets as well.

Now, check the monitoring part:

Mac Authentication with Username - Monitor Mac Auth
Mac Authentication with Username – Monitor Mac Auth

The screenshot above is from a successful authentication. You can see, that the username is not the MAC address.

Finally, also check AirWave:

Mac Authentication with Username - AirWave Clients
Mac Authentication with Username – AirWave Clients

This could make life much easier during troubleshooting. What are your experiences with MAC auth and troubleshooting? Leave a comment below and let us discuss the topic above.

8 thoughts on “MAC Authentication with Username using ClearPass”

  1. Hi, can help me on how to bind users in internal database into a specific MAC address so that a username and password cannot be use in other computer with different MAC address?

    Reply
    • Hi benji,

      What exactly are you trying?

      My understanding is, that you have different users, working with different devices and a user should only be allowed to log in using a specific device, defined through the mac address. correct?
      How do you authenticate the devices?

      Reply
    • Hi attaporn,

      I haven’t used any role mapping in my example. But you can use whatever role mapping you would like to use. ClearPass will give you full flexibility.

      BR
      Florian

      Reply
    • hi Brett,

      Thanks for the feedback. Really appreciated. Actually, after a long time, while my real life (2 young Kids (Babys), a new Home, and lots of work during my regular working hours) I managed to get regular time for blogging again. So you will see new posts during the next weeks 🙂

      BR
      Florian

      Reply
  2. HI Florian!

    Your information helped me a lot

    Let me ask you one more question,
    How many macs can be registered on the controller when using mac authentication without clearpass on the 7240 controller?

    Reply
    • Hi Choi,

      thanks for the feedback.

      For the 7240 it is 32k, nut I would not recommend doing this, as the options to manages those are extremely limited and having that many macs in the internal DB could be a management nightmare.

      BR
      Florian

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.