topic Re: ISE+WLC Partial MAC Address Authentication in Network Access Control

ISE+WLC Partial MAC Address Authentication

r3kr4p — Wed, 14 Jul 2021 21:34:19 GMT

Hello,

I have a small network with a few WLC's each with multiple WLANs, as well as an ISE server. One of the SSID's I have is open, and I would like to authenticate it using ISE. All of the clients connecting to this network will have one of three different OUIs, (first 6 digits of the MAC), so I would like to set up authentication using that. Only clients with those three OUI's will be allowed, and all others will be blocked. I am fairly new to ISE and not sure where to start on this problem.

Thanks!

Re: ISE+WLC Partial MAC Address Authentication

balaji.bandi — Wed, 14 Jul 2021 22:19:48 GMT

Don't you think is the security risk only "(first 6 digits of the MAC)" - why not have the full MAC address of the device and make Profiles.

any reason you can not do that, MAB only used if the supplicant can not be installed.

Re: ISE+WLC Partial MAC Address Authentication

r3kr4p — Wed, 14 Jul 2021 22:35:08 GMT

I considered that option. The problem with that is I have over 200,000 unique devices and that list is continuously growing, so I would have a massive list of devices that would continuously have to be updated. I realize this is not optimal from a security perspective, but individual mac filtering is not feasible.

Re: ISE+WLC Partial MAC Address Authentication

balaji.bandi — Thu, 15 Jul 2021 07:15:02 GMT

Do you have any other layered authentication (like how we do BYOD).

Re: ISE+WLC Partial MAC Address Authentication

r3kr4p — Thu, 15 Jul 2021 16:48:45 GMT

No, I am just trying to authenticate by OUI.

Re: ISE+WLC Partial MAC Address Authentication

balaji.bandi — Thu, 15 Jul 2021 21:18:03 GMT

It's your Governance and security policy of the business - technically works, but as I head up with security risk.

Re: ISE+WLC Partial MAC Address Authentication

littleyoda — Thu, 15 Jul 2021 22:46:34 GMT

Huge security with open SSID and only filtering on OUI, even if it's an isolated network. Maybe add some profiling? or switch to a PSK + OUI filtering?

Re: ISE+WLC Partial MAC Address Authentication

r3kr4p — Fri, 16 Jul 2021 16:36:18 GMT

Thank you for the reply, however, at this moment I am not worried about security. I am simply trying to figure out how to implement partial mac auth in the first place. If you know how any help would be greatly appreciated.

Re: ISE+WLC Partial MAC Address Authentication

r3kr4p — Fri, 16 Jul 2021 16:37:37 GMT

I appreciate the replies. Ignoring security risks for the moment, if you know how to implement partial mac authorization using ISE any help would be greatly appreciated.

Re: ISE+WLC Partial MAC Address Authentication

balaji.bandi — Fri, 16 Jul 2021 17:19:56 GMT

If the business not worried much, you can carry and it works as expected.

example :

http://www.network-node.com/blog/2016/1/2/ise-20-profiling

Re: ISE+WLC Partial MAC Address Authentication

r3kr4p — Fri, 16 Jul 2021 17:20:29 GMT

My point is I do not know how to implement this, as in, I do not know how to configure ISE to do this.

Re: ISE+WLC Partial MAC Address Authentication

balaji.bandi — Sat, 17 Jul 2021 09:47:03 GMT

the steps are clear in the document, if you are worried much, I would suggest hiring a consultant for the piece of work as a mini project

Re: ISE+WLC Partial MAC Address Authentication

r3kr4p — Mon, 19 Jul 2021 16:17:24 GMT

The steps may be clear to you, but they are not to me. That is why I am asking for help here. Which document are you referring to? Also, I do not have money to hire a consultant, which again is why I am asking for help here.

Re: ISE+WLC Partial MAC Address Authentication

balaji.bandi — Mon, 19 Jul 2021 16:58:00 GMT

Couple of suggestions :

1. the document have clear steps : (spend some time read, and ask what steps it was not clearn) - the document also provide with screenshot - just like spoon feed.

example :

http://www.network-node.com/blog/2016/1/2/ise-20-profiling

if you not in a postion to hire consultant, then you need to spend time reading the documents understand and deploy and test it.

it required some understand, its not onself you can do 123 kinda.

time is value for every one, so we do best to support community (we do encourage people to learn and improve, at the same time we also learn here where possible).