topic SSID with Dot1X and MAB in Wireless

SSID with Dot1X and MAB

Noovi — Thu, 15 Jun 2023 12:45:59 GMT

Hi Guys,

Any options if i can have one SSID on Cisco 5520 WLC which supports dot1X as well as MAB?

Actually we have issues in some devices where certificate can not be pushed and we want to connect same devices on same SSID throgh MAB.

Re: SSID with Dot1X and MAB

Flavio Miranda — Thu, 15 Jun 2023 13:08:00 GMT

This is the option you can have with one SSID. Considering 9800 WLC.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_multiple_authc_for_a_client.html

Layer 2	Layer 3	Supported
MAB	CWA	Yes
MAB	LWA	Yes
MAB + PSK	-	Yes
MAB + 802.1X	-	Yes
MAB Failure	LWA	Yes
802.1X	CWA	Yes
802.1X	LWA	Yes
PSK	-	Yes
PSK	LWA	Yes
PSK	CWA	Yes
iPSK	-	Yes
iPSK	CWA	Yes
iPSK + MAB	CWA	Yes
iPSK	LWA	No
MAB Failure + PSK	LWA	No
MAB Failure + PSK	CWA	No

Re: SSID with Dot1X and MAB

MHM Cisco World — Thu, 15 Jun 2023 13:25:59 GMT

As I know mab + 802.1X both is l2 auth' but mab here is not use for auth it used for wlc to bulid connection database for this user.

Mab auth only without any other l2 auth need you add mac address to wlc or use extended server for mac.

Re: SSID with Dot1X and MAB

JPavonM — Fri, 16 Jun 2023 06:28:17 GMT

I think @Noovi is asking if it's possible to replace dot1X with MAB due to the failed to push certificates on devices. I think you ar using EAP-TLS to perform computer authentication so that's why you want to filter them when connecting.

My recommendation is that you keep using dot1X, but instead of using certificate validation (EAP-TLS) on the RADIUS policies you use user credentials only (PEAP). Then if you want to add this "extra" layer of security to limit the connection to those specific devices using MAB you can do it.

Re: SSID with Dot1X and MAB

Ambuj M — Fri, 16 Jun 2023 07:57:19 GMT

Short answer is No, you can enable both mac filtering and 802.1X on same SSID but means WLC need the mac address in its database for endpoint to perform 802.1X, its more of an AND option than OR option.

one option might be to have 2 separate SSID with same name and use mac filtering for one and 802.1X for another one, and when you are configuring your policy and wireless profile you can push correct profile to relevant devices or advertise the one with mac filtering in areas where you have devices not supporting cert .. you get the idea, it not the most traditional way, but its just an option if your device location and environment permits. Best it to have 2 seperate SSIDs or what JPavonM recommended.

Re: SSID with Dot1X and MAB

Haydn Andrews — Sun, 18 Jun 2023 23:21:03 GMT

Doing just this but needing to use 2 SSIDs

- iPSK for devices that dont support 802.1x (EAP-TLS/ PEAP)
- 802.1x for devices that do support it

Have default PSK to use in an onbaording workflow where they just get internet access to reach the MDM to provision the certificate, and iPSK policy for devices that dont support it to get correct VLAN assignment