Wireless Access

Hey! Look, we're running the same 515s and to close those loopholes quickly, the easiest way to go is definitely MAC Authentication. It's basically the "Option 1" and the most straightforward fix for what you're trying to do.

What we're doing is using the Aruba controller's (or Instant cluster's) Internal DB. You just load up all the MAC addresses for the devices you want to authorize and set up the SSID profile to only allow those on the list. If a device isn't in the DB, the AP just drops the connection before it even gets an IP.

A few things we've noticed in real-time:

• Feasibility: It's totally doable and works great for stopping "random" devices from jumping on the network. Just keep in mind that if someone is tech-savvy enough, they could technically spoof a permitted MAC.

• Maintenance: If you have a manageable number of devices, it's a breeze. If you're dealing with hundreds, it gets a bit tedious to manually add every new MAC that comes into the office.

• Performance: On the 515s, it's super stable. You just hit the SSID settings, enable "MAC Authentication," and make sure your "Auth Server" is set to the Internal Server.

Thanks for your suggestion.

as we checked it is very help full and easy to manage also when we have less count.

but do we have any options to automate the process of registering the MAC address like via any registration form or import CSV like this? so that if in future the count goes high we can do it via automate and reduce the manual time required.

and where exactly where can we find the internal DB to whitelist.

Current version: 8.12.0.4 SSR

Firmware version: 8.12.0.4_91755 SSR (Digitally Signed - Production Build)

(DRT) version: 1.0_92117

Hi.

You didn't mention what NAC system you are using. With Clearpass it is very easy to do. Enable dot1x with factory certificate on APs and then register devices in Guest Device Repository. When APs is connecting to the network just check in Device Guest Repository if it is enabled and what role it has.

Best, Gorazd

Thanks for your suggestion.

as we checked it is very help full and easy to manage also when we have less count.

but do we have any options to automate the process of registering the MAC address like via any registration form or import CSV like this? so that if in future the count goes high we can do it via automate and reduce the manual time required.

and where exactly where can we find the internal DB to whitelist.

Current version: 8.12.0.4 SSR

Firmware version: 8.12.0.4_91755 SSR (Digitally Signed - Production Build)

(DRT) version: 1.0_92117

Hey! Look, we're running the same 515s and to close those loopholes quickly, the easiest way to go is definitely MAC Authentication. It's basically the "Option 1" and the most straightforward fix for what you're trying to do.

What we're doing is using the Aruba controller's (or Instant cluster's) Internal DB. You just load up all the MAC addresses for the devices you want to authorize and set up the SSID profile to only allow those on the list. If a device isn't in the DB, the AP just drops the connection before it even gets an IP.

A few things we've noticed in real-time:

• Feasibility: It's totally doable and works great for stopping "random" devices from jumping on the network. Just keep in mind that if someone is tech-savvy enough, they could technically spoof a permitted MAC.

• Maintenance: If you have a manageable number of devices, it's a breeze. If you're dealing with hundreds, it gets a bit tedious to manually add every new MAC that comes into the office.

• Performance: On the 515s, it's super stable. You just hit the SSID settings, enable "MAC Authentication," and make sure your "Auth Server" is set to the Internal Server.

Hi Gora, 

Thanks for replying,

Currently I am using Aruba instant Virtual Controller for managing, and even found there is a dependency on MAC address as now a days by default at the time of connect establishment it will use Random Hardware address or Private Mac Address due to which every time they need to change the MAC type when connecting to SSIDs.

Hi.

You didn't mention what NAC system you are using. With Clearpass it is very easy to do. Enable dot1x with factory certificate on APs and then register devices in Guest Device Repository. When APs is connecting to the network just check in Device Guest Repository if it is enabled and what role it has.

Best, Gorazd

Thanks for your suggestion.

as we checked it is very help full and easy to manage also when we have less count.

but do we have any options to automate the process of registering the MAC address like via any registration form or import CSV like this? so that if in future the count goes high we can do it via automate and reduce the manual time required.

and where exactly where can we find the internal DB to whitelist.

Current version: 8.12.0.4 SSR

Firmware version: 8.12.0.4_91755 SSR (Digitally Signed - Production Build)

(DRT) version: 1.0_92117

Hi Nandeesha.

Looks like you want to limit clients and not APs to access the network. There are limited options as you discovered for this to be done on Instant only. You will need to implement some form of NAC system to authorize clients. MAC auth is simple to implement but hard to maintain. And there are limits on how many accounts you can have in Internal DB.

Best, Gorazd

Hi Gora, 

Thanks for replying,

Currently I am using Aruba instant Virtual Controller for managing, and even found there is a dependency on MAC address as now a days by default at the time of connect establishment it will use Random Hardware address or Private Mac Address due to which every time they need to change the MAC type when connecting to SSIDs.

Hi.

You didn't mention what NAC system you are using. With Clearpass it is very easy to do. Enable dot1x with factory certificate on APs and then register devices in Guest Device Repository. When APs is connecting to the network just check in Device Guest Repository if it is enabled and what role it has.

Best, Gorazd

Thanks for your suggestion.

as we checked it is very help full and easy to manage also when we have less count.

but do we have any options to automate the process of registering the MAC address like via any registration form or import CSV like this? so that if in future the count goes high we can do it via automate and reduce the manual time required.

and where exactly where can we find the internal DB to whitelist.

Current version: 8.12.0.4 SSR

Firmware version: 8.12.0.4_91755 SSR (Digitally Signed - Production Build)

(DRT) version: 1.0_92117

Hey! Look, we're running the same 515s and to close those loopholes quickly, the easiest way to go is definitely MAC Authentication. It's basically the "Option 1" and the most straightforward fix for what you're trying to do.

What we're doing is using the Aruba controller's (or Instant cluster's) Internal DB. You just load up all the MAC addresses for the devices you want to authorize and set up the SSID profile to only allow those on the list. If a device isn't in the DB, the AP just drops the connection before it even gets an IP.

A few things we've noticed in real-time:

• Feasibility: It's totally doable and works great for stopping "random" devices from jumping on the network. Just keep in mind that if someone is tech-savvy enough, they could technically spoof a permitted MAC.

• Maintenance: If you have a manageable number of devices, it's a breeze. If you're dealing with hundreds, it gets a bit tedious to manually add every new MAC that comes into the office.

• Performance: On the 515s, it's super stable. You just hit the SSID settings, enable "MAC Authentication," and make sure your "Auth Server" is set to the Internal Server.

Hi Gora,

Yes, we want to limit non-organization assets from connecting,

like assume we have 2 types of assets internal and external, in externals we want to allow only the required machine but we are finding MAC address changes due to random mac addressing feature if we turn off in one SSID and connect to another SSID the setting is re-enabled as the SSID is different due to which the connection establish is keep on failing,

so is there any alternative? 

Hi Nandeesha.

Looks like you want to limit clients and not APs to access the network. There are limited options as you discovered for this to be done on Instant only. You will need to implement some form of NAC system to authorize clients. MAC auth is simple to implement but hard to maintain. And there are limits on how many accounts you can have in Internal DB.

Best, Gorazd

Hi Gora, 

Thanks for replying,

Currently I am using Aruba instant Virtual Controller for managing, and even found there is a dependency on MAC address as now a days by default at the time of connect establishment it will use Random Hardware address or Private Mac Address due to which every time they need to change the MAC type when connecting to SSIDs.

Hi.

You didn't mention what NAC system you are using. With Clearpass it is very easy to do. Enable dot1x with factory certificate on APs and then register devices in Guest Device Repository. When APs is connecting to the network just check in Device Guest Repository if it is enabled and what role it has.

Best, Gorazd

Thanks for your suggestion.

as we checked it is very help full and easy to manage also when we have less count.

but do we have any options to automate the process of registering the MAC address like via any registration form or import CSV like this? so that if in future the count goes high we can do it via automate and reduce the manual time required.

and where exactly where can we find the internal DB to whitelist.

Current version: 8.12.0.4 SSR

Firmware version: 8.12.0.4_91755 SSR (Digitally Signed - Production Build)

(DRT) version: 1.0_92117

Hi Nandeesha.

There is no alternative to NAC in your case. You need to implement some kind of authentication.

For example you can use Internal DB and use username/password combination to allow corporate asset to connect.

You can add users in internal db and use 802.1x SSID to allow access. Assuming that your clients support 802.1x.

Best, Gorazd

Hi Gora,

Yes, we want to limit non-organization assets from connecting,

like assume we have 2 types of assets internal and external, in externals we want to allow only the required machine but we are finding MAC address changes due to random mac addressing feature if we turn off in one SSID and connect to another SSID the setting is re-enabled as the SSID is different due to which the connection establish is keep on failing,

so is there any alternative? 

Hi Nandeesha.

Looks like you want to limit clients and not APs to access the network. There are limited options as you discovered for this to be done on Instant only. You will need to implement some form of NAC system to authorize clients. MAC auth is simple to implement but hard to maintain. And there are limits on how many accounts you can have in Internal DB.

Best, Gorazd

Hi Gora, 

Thanks for replying,

Currently I am using Aruba instant Virtual Controller for managing, and even found there is a dependency on MAC address as now a days by default at the time of connect establishment it will use Random Hardware address or Private Mac Address due to which every time they need to change the MAC type when connecting to SSIDs.

Hi.

You didn't mention what NAC system you are using. With Clearpass it is very easy to do. Enable dot1x with factory certificate on APs and then register devices in Guest Device Repository. When APs is connecting to the network just check in Device Guest Repository if it is enabled and what role it has.

Best, Gorazd

Thanks for your suggestion.

as we checked it is very help full and easy to manage also when we have less count.

but do we have any options to automate the process of registering the MAC address like via any registration form or import CSV like this? so that if in future the count goes high we can do it via automate and reduce the manual time required.

and where exactly where can we find the internal DB to whitelist.

Current version: 8.12.0.4 SSR

Firmware version: 8.12.0.4_91755 SSR (Digitally Signed - Production Build)

(DRT) version: 1.0_92117

Hey! Look, we're running the same 515s and to close those loopholes quickly, the easiest way to go is definitely MAC Authentication. It's basically the "Option 1" and the most straightforward fix for what you're trying to do.

What we're doing is using the Aruba controller's (or Instant cluster's) Internal DB. You just load up all the MAC addresses for the devices you want to authorize and set up the SSID profile to only allow those on the list. If a device isn't in the DB, the AP just drops the connection before it even gets an IP.

A few things we've noticed in real-time:

• Feasibility: It's totally doable and works great for stopping "random" devices from jumping on the network. Just keep in mind that if someone is tech-savvy enough, they could technically spoof a permitted MAC.

• Maintenance: If you have a manageable number of devices, it's a breeze. If you're dealing with hundreds, it gets a bit tedious to manually add every new MAC that comes into the office.

• Performance: On the 515s, it's super stable. You just hit the SSID settings, enable "MAC Authentication," and make sure your "Auth Server" is set to the Internal Server.

That's a solid point, and 802.1X with the Internal DB would definitely be the way to go. However, there's a catch: Aruba IAPs don't support bulk uploads via CSV.
In a real-world setup, this means:
 - Manual Entry only: You have to add every user or MAC address one by one in the UI. There's no "import" button.
 - Scalability: It works for small environments, but it's a pain if you have a lot of devices.
If you need to scale, you're better off moving to an external RADIUS (like NPS or ClearPass) where you can actually import lists. You can check the official guide here showing that it's a manual https://arubanetworking.hpe.com/techdocs/Archived/Instant-AOS-8/Instant_85_WebHelp/Content/instant-ug/authentication/user-management/conf-local-db-user.htm

Hi Nandeesha.

There is no alternative to NAC in your case. You need to implement some kind of authentication.

For example you can use Internal DB and use username/password combination to allow corporate asset to connect.

You can add users in internal db and use 802.1x SSID to allow access. Assuming that your clients support 802.1x.

Best, Gorazd

Hi Gora,

Yes, we want to limit non-organization assets from connecting,

like assume we have 2 types of assets internal and external, in externals we want to allow only the required machine but we are finding MAC address changes due to random mac addressing feature if we turn off in one SSID and connect to another SSID the setting is re-enabled as the SSID is different due to which the connection establish is keep on failing,

so is there any alternative? 

Hi Nandeesha.

Looks like you want to limit clients and not APs to access the network. There are limited options as you discovered for this to be done on Instant only. You will need to implement some form of NAC system to authorize clients. MAC auth is simple to implement but hard to maintain. And there are limits on how many accounts you can have in Internal DB.

Best, Gorazd

Hi Gora, 

Thanks for replying,

Currently I am using Aruba instant Virtual Controller for managing, and even found there is a dependency on MAC address as now a days by default at the time of connect establishment it will use Random Hardware address or Private Mac Address due to which every time they need to change the MAC type when connecting to SSIDs.

Hi.

You didn't mention what NAC system you are using. With Clearpass it is very easy to do. Enable dot1x with factory certificate on APs and then register devices in Guest Device Repository. When APs is connecting to the network just check in Device Guest Repository if it is enabled and what role it has.

Best, Gorazd

Thanks for your suggestion.

as we checked it is very help full and easy to manage also when we have less count.

but do we have any options to automate the process of registering the MAC address like via any registration form or import CSV like this? so that if in future the count goes high we can do it via automate and reduce the manual time required.

and where exactly where can we find the internal DB to whitelist.

Current version: 8.12.0.4 SSR

Firmware version: 8.12.0.4_91755 SSR (Digitally Signed - Production Build)

(DRT) version: 1.0_92117

Hey! Look, we're running the same 515s and to close those loopholes quickly, the easiest way to go is definitely MAC Authentication. It's basically the "Option 1" and the most straightforward fix for what you're trying to do.

What we're doing is using the Aruba controller's (or Instant cluster's) Internal DB. You just load up all the MAC addresses for the devices you want to authorize and set up the SSID profile to only allow those on the list. If a device isn't in the DB, the AP just drops the connection before it even gets an IP.

A few things we've noticed in real-time:

• Feasibility: It's totally doable and works great for stopping "random" devices from jumping on the network. Just keep in mind that if someone is tech-savvy enough, they could technically spoof a permitted MAC.

• Maintenance: If you have a manageable number of devices, it's a breeze. If you're dealing with hundreds, it gets a bit tedious to manually add every new MAC that comes into the office.

• Performance: On the 515s, it's super stable. You just hit the SSID settings, enable "MAC Authentication," and make sure your "Auth Server" is set to the Internal Server.