Owners manual
MAC authentication
MAC authentication is used for authenticating devices based on their physical MAC addresses. MAC authentication
requires that the MAC address of a machine matches a manually defined list of addresses. This authentication
method is not recommended for scalable networks and the networks that require stringent security settings. For
more information on configuring an IAP to use MAC authentication, see Configuring MAC Authentication for a
Network Profile on page 166.
MAC authentication with 802.1X authentication
This authentication method has the following features:
l MAC authentication precedes 802.1X authentication - The administrators can enable MAC authentication for
802.1X authentication. MAC authentication shares all the authentication server configurations with 802.1X
authentication. If a wireless or wired client connects to the network, MAC authentication is performed first. If
MAC authentication fails, 802.1X authentication does not trigger. If MAC authentication is successful, 802.1X
authentication is attempted. If 802.1X authentication is successful, the client is assigned an 802.1X
authentication role. If 802.1X authentication fails, the client is assigned a deny-all role or mac-auth-only role.
l MAC authentication only role - Allows you to create a mac-auth-only role to allow role-based access rules when
MAC authentication is enabled for 802.1X authentication. The mac-auth-only role is assigned to a client when
the MAC authentication is successful and 802.1X authentication fails. If 802.1X authentication is successful, the
mac-auth-only role is overwritten by the final role. The mac-auth-only role is primarily used for wired clients.
l L2 authentication fall-through - Allows you to enable the l2-authentication-fallthrough mode. When this option
is enabled, the 802.1X authentication is allowed even if the MAC authentication fails. If this option is disabled,
802.1X authentication is not allowed. The l2-authentication-fallthrough mode is disabled by default.
For more information on configuring an IAP to use MAC + 802.1X Authentication, see Configuring MAC
Authentication with 802.1X Authentication on page 168.
Captive Portal Authentication
Captive portal authentication is used for authenticating guest users. For more information on Captive Portal
authentication, see Captive Portal for Guest Access on page 121.
MAC authentication with Captive Portal authentication
This authentication method has the following features:
l If the captive portal splash page type is Internal-Authenticated or External-RADIUS Server, MAC
authentication reuses the server configurations.
l If the captive portal splash page type is Internal-Acknowledged or External-Authentication Text and MAC
authentication is enabled, a server configuration page is displayed.
l If the captive portal splash page type is none, MAC authentication is disabled.
l You can configure the mac-auth-only role when MAC authentication is enabled with captive portal
authentication.
For more information configuring an IAP to use MAC and Captive Portal authentication, see Configuring MAC
Authentication with Captive Portal Authentication on page 170.
802.1X authentication with Captive Portal Role
This authentication mechanism allows you to configure different captive portal settings for clients on the same
SSID. For example, you can configure an 802.1x SSID and create a role for captive portal access, so that some of
the clients using the SSID derive the captive portal role. You can configure rules to indicate access to external or
internal captive portal, or none. For more information on configuring captive portal roles for an SSID with 802.1x
authentication, see Configuring Captive Portal Roles for an SSID on page 136.
Aruba Instant 6.4.0.2-4.1 | User Guide Authentication and User Management | 149