Authentication PSK & MAC-filtering for RADIUS AuthZ

Andrii Oliinyk — Thu, 05 Sep 2024 08:33:03 GMT

trying to fill the gap here:
1) PSK authenticated SSID mapped to default L2VNID#1 (VLAN)
2) depending on the MAC-address client of SSID must be landed in either default or non-default L2VNID#2
u decide apply MAC-filtering to SSID & direct WLC to request ISE for AuthZ where u have configured non-default rule to match endpoint's MAC against designated EID-group & to return L2VNID#2 in Tunnel-Private-Group-ID. Default rule just returns AccessAccept (it's still needed for the rest of endpoints). Now u need all MACs targeted for L2VNID#2 to be members of designated EID-group. & u think u dont need to list rest of clients of SSID anywhere bc successful authentication requires matching proper PSK only. Everything looks good until u recall all clients of SSID are now subject of AuthC. u could configure default AuthC rule to use Internal Endpoints & it would do the job for that endpoints u coded as members of designated EID-group. But what to do for the rest of endpoints? u dont want to create separate EID-group for them. u think then about modifying default AuthC rule to look like this:

do u achieve the goal at this point? any ideas?

Re: Authentication PSK & MAC-filtering for RADIUS AuthZ

Andrii Oliinyk — Thu, 05 Sep 2024 10:29:22 GMT

found confirmation here Solved: ISE only be authorization for wireless users - Cisco Community

topic Re: Authentication PSK & MAC-filtering for RADIUS AuthZ in Network Access Control

Authentication PSK & MAC-filtering for RADIUS AuthZ

Re: Authentication PSK & MAC-filtering for RADIUS AuthZ