Enhanced certificate checking is performed on the client. Horizon View Client for Mac OS X also supports optional RADIUS and RSA SecurID authentication. (RADIUS support was added with VMware Horizon View 5.1 and Horizon View Client for Mac OS X 1.5 or later.). For example, if you connect a USB headset to the Mac client system during a remote. To connect to a virtual network over point-to-site (P2S), you need to configure the client device that you'll connect from. You can create P2S VPN connections from Windows, Mac OS X, and Linux client devices. When you're using RADIUS authentication, there are multiple authentication options. When a user database is stored on a RADIUS server the WLC forwards the MAC address of the client to the RADIUS server for client validation. Then, the RADIUS server validates the MAC address based on the database it has.
This chapter describes how to configure MAC-based authentication on the Arubacontrollerusing the WebUI.
Radius Authentication Mac Address
Use MAC-based authentication to authenticate devices based on their physical media access control (MAC) address. While not the most secure and scalable method, MAC-based authentication implicitly provides an addition layer of security authentication devices. MAC-based authentication is often used to authenticate and allow network access through certain devices while denying access to the rest. For example, if clients are allowed access to the network via station A, then one method of authenticating station A is MAC-based. Clients may be required to authenticate themselves using other methods depending on the network privileges required.
MAC-based authentication can also be used to authenticate Wi-Fi phones as an additional layer of security to prevent other devices from accessing the voice network using what is normally an insecure SSID.
This chapter describes the following topics:
Configuring MAC-Based Authentication
Before configuring MAC-based authentication, you must configure:
The user role that will be assigned as the default role for the MAC-based authenticated clients. (See Chapter 10, “Roles and Policies” for information on firewall policies to configure roles).
You configure the default user role for MAC-based authentication in the AAA profile. If derivation rules exist or if the client configuration in the internal database has a role assignment, these values take precedence over the default user role.
Authentication server group that thecontrolleruses to validate the clients. The internal database can be used to configure the clients for MAC-based authentication. See “Configuring Clients” for information on configuring the clients on the local database. For information on configuring authentication servers and server groups, see Chapter 8, “Authentication Servers”
Configuring the MAC Authentication Profile
Table 68 describes the parameters you can configure for MAC-based authentication.
Parameter | Description |
|---|---|
Delimiter | Delimiter used in the MAC string: lcolon specifies the format xx:xx:xx:xx:xx:xx ldash specifies the format xx-xx-xx-xx-xx-xx lnone specifies the format xxxxxxxxxxxx Default: none |
Case | The case (upper or lower) used in the MAC string. Default: lower |
Max Authentication failures | Number of times a station can fail to authenticate before it is blacklisted. A value of 0 disables blacklisting. Default: 0 |
Using the WebUI to configure a MAC authentication profile
1.Navigate to the Configuration >Security >Authentication > L2 Authentication page.
2.Select MAC Authentication Profile.
3.Enter a profile name and click Add.
4.Select the profile name to display configurable parameters.
5.Configure the parameters, as described in Table 68.
6.Click Apply.
Using the CLI to configure a MAC authentication profile
aaa authentication mac <profile>
case {lower|upper}
delimiter {colon|dash|none}
max-authentication-failures <number>
Configuring Clients
You can create entries in thecontroller’s internal database that can be used to authenticate client MAC addresses. The internal database contains a list of clients along with the password and default role for each client. To configure entries in the internal database for MAC authentication, you enter the MAC address for both the user name and password for each client.
You must enter the MAC address using the delimiter format configured in the MAC authentication profile. The default delimiter is none, which means that MAC addresses should be in the format xxxxxxxxxxxx. If you specify colons for the delimiter, you can enter MAC addresses in the format xx:xx:xx:xx:xx:xx. |
Using the WebUI to configure clients in the internal database
Testing Radius Server
1.Navigate to the Configuration >Security >Authentication >Servers > page.
2.Select Internal DB.
3.Click Add User in the Users section. The user configuration page displays.
4.For User Name and Password, enter the MAC address for the client. Use the format specified by the Delimiter parameter in the MAC Authentication profile. For example, if the MAC Authentication profile specifies the default delimiter (none), enter MAC addresses in the format xxxxxxxxxxxx.
5.Click Enabled to activate this entry on creation.
Radius Authentication Mac Os X
6.Click Apply to apply the configuration.
The configuration does not take effect until you perform this step. |
Using the CLI to configure clients in the internal database
Enter the following command in enable mode:
local-userdb add username <macaddr> password <macaddr>...
Chapter 16
MAC-based Authentication
Radius Test Client For Mac
i am working on a project to deploy mac-based authentication via radius server.
the network is a 'WIRED' LAN,Although the Users will connect to the cisco router via point-to-point wireless connection.
the users,radius server and LAN interface of the router will all be connected to a switch (i hope the network layout is clear).The other interface of the router ultimately connects to the internet.
i believe i have successfully installed and configured the radius server (using the radtest utility to check)
my major pain is how to configure the NAS. The NAS is a cisco router.How do i configure the NAS to forward mac addresses to the radius server without asking for username/password?
i saw this configuration somewhere:
aaa new-model
aaa authentication ppp default if-needed group radius
aaa authorization network default group radius
aaa accounting update newinfo
aaa accounting exec default start-stop group radius
aaa accounting network default wait-start group radius
aaa accounting connection default start-stop group radius
in the above, i believe i have to make changes to the above configuration so that the NAS will forward mac addresses to radius server without prompting the user for anything (i.e username/password), but i dont know what and howto.
pls help,anyone.
PS: the radius server uses mysql as its backend.i also know that the mac-addresses of the users is stored as the username/password in the radcheck table.
thanks.