topic Wireless 802.1x with MAB as fallback and FreeRadius in Wireless

Wireless 802.1x with MAB as fallback and FreeRadius

ciscoprolin — Mon, 05 Jul 2021 16:51:49 GMT

Dear All,

with more and more IoT devices entering the market we need to design our wireless infrastructure

to accomodate IoT devices which support 802.1x but also devices which do not support 802.1x.

As the best practice is not to exceed the number of 4 SSIDs the ideal solution would look like one SSID only with 802.1x enabled and MAC filtering for MAB (MAC Authentication Bypass) for IoT devices not supporting 802.1x.

In the Cisco Switching world this is no problem at all but does anyone have experience how this can be handled in the Cisco Wireless world (with 8540 WLCs and release 8.5) ?

I know there is the new feature Identity PSK but this would also require a separate SSID for non-802.1x devices but how can both devices types be covered by 1 SSID ?

In other discussions it's stated that it should be possible (though not officially supported) with Cisco ISE as radius server but has anyone managed to implement 1 SSID with 802.1x and MAB for non-802.1x devices using FreeRadius as backend ?

Thanks and best regards,

Thorsten

Re: Wireless 802.1x with MAB as fallback and FreeRadius

Kasun Bandara — Fri, 15 Feb 2019 09:07:51 GMT

Hi,
you can do few checks, even i am not tried yes i can suggest below.

1 - enable MAC filtering for SSID and add MAC to whitelist in controller (not radius)
2 - select 802.1x for next step.

but i dont think you can use radius server for both 1x and MAB

Re: Wireless 802.1x with MAB as fallback and FreeRadius

patoberli — Mon, 18 Feb 2019 12:36:07 GMT

Not using Freeradius for this, but I also think it's possible on ISE.
You'd need to do a chained policy, which first checks the MAC and if that one fails, do 802.1x. I'm not sure if FreeRadius is capable of this.
Another variant (if your FreeRadius is just a proxy for an Active Directory) might be this:
https://documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_MS_Switches

Re: Wireless 802.1x with MAB as fallback and FreeRadius

ciscoprolin — Mon, 18 Feb 2019 15:34:10 GMT

Thanks for your appreciated reply. We are able to use FreeRadius in connection with the Identity PSK Feature offered by Cisco WLCs since release 8.5.

With the I-PSK we need to sacrifice a separate SSID (apart from 802.1x) that's why we're considering MAB for Wireless as an alternative to I-PSK.

With Cisco switches MAB is absolutely no problem but with the Cisco WLC we're not sure. Found another article in which it was stated it does not work with the WLC: https://community.cisco.com/t5/policy-and-access/wlc-mab-with-802-1x-authentication/m-p/3747331 .

We'll try to test it.

Thanks.

Re: Wireless 802.1x with MAB as fallback and FreeRadius

patoberli — Tue, 19 Feb 2019 16:07:20 GMT

Yeah, wireless 802.1x and wired 802.1x are sadly not exactly the same thing. I hope it will work for you.