ArubaOS-Switch MAC Auth Configuration

- aruba networking security

Sometimes, devices can’t do 802.1x but you still want to autenticate the client to the switch. This is where MAC-Auth comes in. It is not as robust or secure as 802.1x and MAC addresses are easily spoofed, but it has its uses. AArubaOS-Switch can do both RADIUS and local MAC-Auth.

RADIUS-based MAC-Auth

switch(config)# aaa authentication mac-based peap-mschapv2 ## AOS-Switch also supports chap-radius 
switch(config)# radius-server host 192.0.20.5 key <my super secret shared radius secret> 
switch(config)# radius-server host 192.0.20.5 dyn-authorization
// Enable on a per-port basis
switch(config)# aaa port-access mac-based a2,a4

Local MAC-Auth uses a local DB of MACs. This is cumbersome and hard to maintain, but supported.

switch(config)# aaa port-access local-mac a3,b5
// create a group and add some macs
switch(config)# aaa port-access local-mac mac-group GROUP-mac-phones
switch(Mac-Group-GROUP-mac-phones)# mac-addr beefbeefbeef deadeaddead
// or, an OUI - useful for phones, etc. 
switch(Mac-Group-GROUP-mac-phones)# mac-oui beefbe
// now, apply a profile. This must be done for a MAC to succeed LMA. 
switch(config)# aaa port-access local-mac profile-name PROFILE-phones
switch(pProfile-PROFILE-phones)# vlan tagged 10
switch(pProfile-PROFILE-phones)# vlan untagged 20
switch(pProfile-PROFILE-phones)# cos 3
// now, connect your group and profile
switch(config)# aaa port-access local-mac apply-profile PROFILE-phones mac-group GROUP-mac-phones

n.b. by default, the switch only authenticates one MAC and drops traffic from any others. To raise the limit,

switch(config)# aaa port-access mac-based a5,c7 addr-limit 20 ## up to 256