topic Re: VLAN Steering and MAB authentication in Wireless

VLAN Steering and MAB authentication

Jim Blake — Tue, 28 Jun 2022 21:11:16 GMT

This question relates to a network of 9130 APs, managed by a 9800 WLC. I'm trying to reduce the number of SSIDs being used in the network.

One of the reasons for having so many SSIDs is that there are several communities of wireless IoT devices that have no 802.1x capability, so must be authenticated using MAB. That would be fine, if all IoT devices needed to go into the same VLAN. However, there are families of devices, each one needing to be handled differently, so they are put I to different SSIDs/WLANs/VLANS, hence the high SSID count.

I'd like to use the ISE that handles 802.1x to do VLAN steering, so that I could use the same SSID, then steer client devices into different VLANs based upon their MAC address. I've read about doing this with something called MyDevice Portal, but I haven't found details on this, or if it's possible.

Can anyone say if what I propose is possible, and if so, point me at some documentation that will get me started

Thanks

Jim

Re: VLAN Steering and MAB authentication

balaji.bandi — Tue, 28 Jun 2022 21:54:09 GMT

You can create profiles based on that you can give access permission: you can use vendor OUI (when you use MAB authentication)

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

Re: VLAN Steering and MAB authentication

Flavio Miranda — Tue, 28 Jun 2022 22:55:06 GMT

From the ISE side your challange is to identify the device you want to spread on the vlans. You can work with profile. On the WLC side, you need to enable "Allow AAA Override" on the WLC, advanced tab

On the AP group, instead poniting the WLAN to a interface group, you need to point to a non-routable interface. But, you need to add the vlan on the WLC under "CONTROLLER" and Interfaces.

Re: VLAN Steering and MAB authentication

patoberli — Wed, 29 Jun 2022 14:56:22 GMT

iPSK might help you if you want encryption:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/216130-configure-catalyst-9800-wlc-ipsk-with-ci.html

Re: VLAN Steering and MAB authentication

Jim Blake — Wed, 29 Jun 2022 16:11:03 GMT

The IoT devices have no 802.1x supplicant, but lets assume they could handle iPSK. Can the ISE do VLAN steering based upon each different user/group's PSK? If that were possible, that could be a simple solution

Thanks

Jim

Re: VLAN Steering and MAB authentication

Jim Blake — Sun, 03 Jul 2022 20:42:57 GMT

That looks to be the way to go...I will lab it and see how it works. Thanks!

Re: VLAN Steering and MAB authentication

patoberli — Thu, 30 Jun 2022 06:41:44 GMT

Yeah this is exactly what this could be used for, as long as the IoT device is capable of WPA2/AES with a PSK.

It takes some additional ISE configuration though, because you need to create a profile for each VLAN you want to assign.

In my opinion it would probably be better to put them all into the same VLAN and make sure that this VLAN is correctly isolated.