topic Hi Mile, in Network Access Control

SSID+PSK with ISE

CODNetadmin — Mon, 11 Mar 2019 07:33:16 GMT

Hi!

I do have to migrate some of our SSID into 1 single SSID. To give you brief background about the setup:

1. We currently have 5 ssid(ex ss1,ss2,ss3,ss4,ss5) different vlans for each. all clients that are connecting to the said ssid cannot support dot1.x and they are currently using PSK for security.

2. We will need to migrate those 5 ssid into 1 single ssid ( ex.newssid), use dynamic vlans and integrate it with cisco ISE.

3. since those devices doesn't support the 802.1x, is it possible to use PSK for the authc and integrate it with ISE with dynamic filtering and MAC Add filtering?

Thanks!

You can use MAB with Endpoint

Angel Castillo — Fri, 17 Mar 2017 09:12:12 GMT

You can use MAB with Endpoint Groups, for example: the devices that connected to SSID1 input in Endpoint Group 01 and you can configure a policy authorization with this group on the condition and the dynamic VLAN in result

Hi,

mile.ljepojevic — Fri, 17 Mar 2017 16:55:34 GMT

Hi,

you can use one PSK for newssid (on 8.3+ code only), have it configured on all wireless endpoints and then use ISE authorization profile to override WLC interface (VLAN) based on ISE endpoint info (endpoint group, MAC address, profiling, etc.).

Here is document about WPA-PSK and RADIUS (NAC):

http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn83.html#31794

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config-guide/b_cg83/b_cg83_chapter_0100111.html#d49566e8409a1635

Let me know if you need more info.

Hi Mile,

CODNetadmin — Mon, 20 Mar 2017 06:28:10 GMT

Hi Mile,

Thanks for your reply.

As I checked, it will be needed to have a CWA.

For my requirements,

- the PSK and MAC Filtering should be handled by the WLC - Currently working and I can connect to the SSID.

- ISE will be the one who will authorize and provide the dynamic vlan assignment.

the problem is, whenever I connect to the SSID, I cannot see logs on ISE.

how do you guys configure a Authc policy on ISE for the SSID that has PSK security and handled by the WLC?

Thank you.

Hi, it's very simple:

mile.ljepojevic — Mon, 20 Mar 2017 15:11:14 GMT

Hi, it's very simple:

In your scenario, you will not see anything on the ISE because all authentication is done locally via WLC. Of course ISE will not be aware of that

CWA is using MAC filtering to provide authentication via Web Portal for unknow MACs. You can still use ISE to do mac-filtering, but you create policies to be matched based on known MAC address instead of CWA result.

CWA is used to identify unknown PCs, guest access, etc, but even on wireless, you can "whitelist" all devices that do not have web-browsers, like Printers, Roku and Chrome players, projectors, etc. It's same concept for you.

So, you should use PSK on the WLC, then RADIUS NAC and ISE as RADIUS server for MAC address filtering, configure policies for Wireless MAB do not use CWA in your policies, just create policies that will assign specific Endpoint group (pre-filled with known MACs) to specific VLANs.

As I read on cisco docs and I

CODNetadmin — Tue, 21 Mar 2017 06:14:30 GMT

As I read on cisco docs and I also want it to confirm, CWA is more likely needs to have a splash page/portal right?

Again, you are not using CWA.

mile.ljepojevic — Tue, 21 Mar 2017 12:14:25 GMT

Again, you are not using CWA. CWA is portal for authentication based on username/password and requires splash-page and user intervention.

You can use Wireless MAB to do MAC filtering and VLAN assignment, no need to use CWA at all.

Oh very sorry, missed it.

CODNetadmin — Wed, 22 Mar 2017 01:53:47 GMT

Oh very sorry, missed it.

Since the PSK is on WLC, the policy that I should create is on the authorization?

Here's the steps that I made.

- Since there is a upper policy for Wired and Wireless MAB and will use Internal Endpoints, when I do connect to the SSID, It should hit that policy right?

- I created a Endpoint group with the specific MAC Address Inside.

- I created a Authz policy for that Endpoint group

When I connect to the SSID, Since it will hit the first Authentication Policy which is MAB, it should reflect on the Authentications right? but so far I cannot see my MAC address on the Authentications.

You need to configure SSID to

mile.ljepojevic — Wed, 22 Mar 2017 11:38:44 GMT

You need to configure SSID to use RADIUS NAC.

Also, on L2 security it should be MAC filtering

On L3 security, make sure you add your ISE servers.

Make sure ISE servers have WLC as AAA Client

Make sure pre-shared key is the same.

There could be multiple reasons why you don't see your MAC address in ISE logs, but it should't be related with your policy configuration.

If policy is wrong, you still should see MAC address, but it would be denied or wrong authorization profile would be applied, but 99% chance is that MAC address will be in the logs.

If you do not see MAC address in the ISE Logs, it's either there is no good communication between WLC and ISE, or WLC is not sending RADIUS requests to ISE...

For radius nac, It's on the

CODNetadmin — Thu, 23 Mar 2017 06:45:08 GMT

For radius nac, It's on the NAC State then select RADIUS NAC right?

Got some problem enabling it since when I enable it, it says

"Radius NAC is available only for WLANs that are configured for 802.1x/wpa/wpa2 layer 2 security or open Auth + MAC Filtering

When I use 802.1x it goes fine. but the requirement is it should be PSK not 802.1x

For the L2 Security, its alrady WPA+WPA2 but still cant use RADIUS NAC as the NAC State

Hi,

mile.ljepojevic — Thu, 23 Mar 2017 11:47:27 GMT

Hi,

as I mentioned WLC 8.3 or newer train (if exists) is required for this. Previous releases of WLC code do not support RADIUS NAC and PSK.

Re: Hi,

MDUONG@presidio.com — Wed, 02 May 2018 00:20:18 GMT

Hi Mile, we have the same issue with trying to use Radius and PSK with WLC prior version to 8.3. I understand that this is a bug. My question is, if we decide to use Radius NAC without PSK (Open Auth), does that mean our traffic is unencrypted?