topic Forescout Mac Filtering Security and Web Policy in Wireless

Forescout Mac Filtering Security and Web Policy

Nana Banahene — Mon, 05 Jul 2021 17:17:58 GMT

The rule of thumb is or was the wlan being anchored must be identical on both foreign and anchor, correct? Third party AAA(forescout) is wanting layer 2 security mac filtering on foreign and layer 3 security on anchor(that would mean wlans are not identical in configs). If one configures layer 2 mac filtering on wlan, and layer 3 web policy is not enabled how would clients know it's a WebAuth or can both layer 2 and 3 be configured for the same wlan?

Re: Forescout Mac Filtering Security and Web Policy

Sathiyanarayanan Ravindran — Mon, 29 Apr 2019 20:19:58 GMT

Hi Nana Banahene,

Yes, Both anchor and Foreign should have the same configuration.

But if you are using Central web-auth, Only you have to enable MAC-Filtering and no L3 Auth is needs to be enabled, On the SSID you have to enable AAA Override to accept the redirection attribute send by the radius server (ISE/Forescout).

On this case AAA is performed by Foreign WLC. Refer the link of Central Web-Auth Configuration via Cisco ISE so that you can get a idea on it.

Re: Forescout Mac Filtering Security and Web Policy

Nana Banahene — Mon, 29 Apr 2019 20:34:17 GMT

There is a pre-auth acl I configured that needs to be applied and that can
be applied under layer 3 or wlan interface(but wlan interface will not be
helpful for pre-auth) hence I need to apply it under layer 3. What are my
options to get this pre-auth acl going as well

Re: Forescout Mac Filtering Security and Web Policy

Sathiyanarayanan Ravindran — Mon, 29 Apr 2019 21:10:52 GMT

Pre auth ACL is not required in this case. You have to configure a ACL on the foreign controller for DHCP/DNS and NAC IP access(for redirection page). That ACL name has to be present on the Authorization Profile.

Re: Forescout Mac Filtering Security and Web Policy

Nana Banahene — Wed, 01 May 2019 00:47:14 GMT

Yes, on the anchor I have pre-auth acl on L3. I was just concerned that on foreign I have L2 mac filtering, making the configs on foreign different from anchor, but if I understand you correctly, for wlan in question I can do L2 mac filtering on foreign with AAA overide and then do L3 preauth on anchor, and there should be no issues, correct?

Re: Forescout Mac Filtering Security and Web Policy

Sathiyanarayanan Ravindran — Wed, 01 May 2019 06:39:37 GMT

Here also both anchor and foreign configuration has to be same. Only thing that changes is who is performing the AAA.

Also you don’t need to configure L3 on both the controller. Redirection ACL name and URL will be send by the radius server through Authorization profile. You have to create a redirection ACL with only DHCP, DNS and NAC IP on Foreign controller.

Have you referred the link i shared on my previous response? If not pls check it once.