topic Re: C9130axi EWC authentication question in Wireless

C9130axi EWC authentication question

Chris Callison — Mon, 05 Jul 2021 20:25:19 GMT

I am using my AP in EWC mode. I am using Windows 2019 NPS as the AAA authority. I have set up admin (web & ssh) access and have set up 802.1x for one of my WLANs and it is working as expected. I would like to have a few WLANs that are restricted by mac address, but I don't want to use MAB if I have to leave the WPA authentication as "open". I've already tried it and I will use it if I have to, but it seems like a half-ass solution if I can't encrypt the session.

Are there better ways to work around this? My list of mac addresses to restrict a VERY small so I don't mind doing in the NPS security policies

Re: C9130axi EWC authentication question

Scott Fella — Sun, 21 Mar 2021 06:28:50 GMT

What is the purpose of using MAC address with WPA2 PSK? I think there are better solutions if your devices supports 802.1x.
Anyways, I believe you are limited also on NPS as to what you can do compared to Cisco ISE as an example. In ISE, I can have a PSK or even IPSK and based on a group (MAC address list) I can place devices on a specific vlan. It’s really based on rules and what conditions are available in NPS. I have only used NPS back in the days and that was strictly for 802.1x.

Re: C9130axi EWC authentication question

Chris Callison — Sun, 21 Mar 2021 22:23:15 GMT

For my environment, it's really only useful for a general use tablet and the lack of encryption makes it seem pointless. I was also not able to turn off SSID broadcasting, so I don't think I will use it.

I seem to remember applying a mac address acl to a wlan was extremely easy and intuitive on my old WLC2504. Less so in IOS-XE 17.4

Much easier to design NPS constraints that include mac addresses. As I said, my filter list is very small, so it is easy to script out, but for a larger community, I might try harder to set up a mac address acl.

Re: C9130axi EWC authentication question

Scott Fella — Mon, 22 Mar 2021 01:12:27 GMT

Well I run WPA2/AES with PSK for my IoT devices and using a group that has all the mac address for that defined group. That is what you should do and don't worry about the mac address. I'm able to do this with Cisco ISE, because ISE collects device information that is sent to it for authentication. This I don't think it is possible with NPS, unless you create an OU with the mac address as the username and password (been a while since I did something like that, so don't know if that is still valid).