Showing results for 
Search instead for 
Did you mean: 

Aruba IAP 305 with HP IMC UAM Mac-based Authentication


Aruba IAP 305 with HP IMC UAM Mac-based Authentication

Hello Guys,

we actually are facing an Issue where I am still not able to find a solution.

Since 2012 we are using HP830 Controller with MSM460 and MSM560 APs. As we find out last year, this Controller/AP-Setup is deprecated and we are now using Aruba IAP 305 for our WLAN environment in a few sites.

With our old setup, we used a mac based authentication with IMC UAM for our MSM-APs themselfes to get connected to our network and put them in our AP-VLAN (we also could have used certificates for that - the handling from IMC/UAM point of stand would be the same).

Problem now is, with the old setup, the MSM-APs redirected the traffic through HP830 Controller, so that we have been able to authenticate the APs with their MAC against the IMC/UAM and deployed their AP-VLAN with an Access Policy. From the security point of stand (we are going to ignore at this point, that MACs can be emulated) this was a save way, to not get any external device connected with our internal network, cause if you would have taken the network cable of an AP and put it into an external device, you only would have been put into an quarantine VLAN. At the moment I do not understand, how we could handle this savety (we will improve it with certificates instead of MAC-Auth if possible) with IAP 305s. Cause we need to have trunk-ports on the end where the IAPs are connected to, I do not get, how we could use IMC/UAM to authenticate the APs themselfes. The trunk-ports are needed, cause every department do have it's own VLAN(s) and their devices are also authenticated with IMC/UAM when they do try to connect with WLAN. 

I hope you do understand the issue here, someone will have a solution for and you will be gentle cause of my bad english. I am better understanding it than speaking or writing.


Respected Contributor

Re: Aruba IAP 305 with HP IMC UAM Mac-based Authentication

I've been using the MSM series and APs as well. I use the 802.1x supplicants (instead of MAC)  in the APs and create a user/password for this in IMC. It looks like the IAP 305 have a supplicant option as well.. You could have a unique ID for each or share the same one for all (make sure you set the login limit in IMC) depending on your need

Your switches should be able to authenticate the AP on the trunk port and then use IMC to assign the VLANs needed as tagged to the port using the access policy based on the userID of the AP - I'm doing the same thing with the MSMs

EDIT: Also note that if the switch port has a MAC client limit as part of 802.1x authentication, it will count those from the AP clients. On procurve this occurs with mixed authentication.