https://community.cisco.com/t5/wireless/802-1x-ad-mac-filtering-via-ise/m-p/5514228#M305611 <P>I currently am only doing 802.1X(AD) on the SSID. My users have figured out they can get their personal iPhone on the SSID by entering their AD credentials. I would like to do 802.1X(AD) + MAC Filtering via ISE. This way the device would have to be in the MAC allowed group plus their AD credentials. Does anyone how I can accomplish this?</P> Tue, 20 Feb 2024 20:12:08 GMT rlwilson 2024-02-20T20:12:08Z https://community.cisco.com/t5/wireless/802-1x-ad-mac-filtering-via-ise/m-p/5514228#M305611 <P>I currently am only doing 802.1X(AD) on the SSID. My users have figured out they can get their personal iPhone on the SSID by entering their AD credentials. I would like to do 802.1X(AD) + MAC Filtering via ISE. This way the device would have to be in the MAC allowed group plus their AD credentials. Does anyone how I can accomplish this?</P> Tue, 20 Feb 2024 20:12:08 GMT https://community.cisco.com/t5/wireless/802-1x-ad-mac-filtering-via-ise/m-p/5514228#M305611 rlwilson 2024-02-20T20:12:08Z https://community.cisco.com/t5/wireless/802-1x-ad-mac-filtering-via-ise/m-p/5514229#M305612 <P>This is nothing more than an additional condition in the corresponding rule in the authorization policy. But it is also an administrative nightmare.</P><P>The better solution would be to use TEAP with EAP-Chaining.</P> Tue, 20 Feb 2024 21:29:53 GMT https://community.cisco.com/t5/wireless/802-1x-ad-mac-filtering-via-ise/m-p/5514229#M305612 Karsten Iwen 2024-02-20T21:29:53Z https://community.cisco.com/t5/wireless/802-1x-ad-mac-filtering-via-ise/m-p/5514230#M305613 <P>There is all the information that you need.</P><P><A href="https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Cisco_ISE_-_MR_Access_Points" target="_blank" rel="nofollow noopener noreferrer">https://documentation.meraki.com/MR/Encryption_and_Authentication/MAC-Based_Access_Control_Using_Cisco_ISE_-_MR_Access_Points</A></P> Tue, 20 Feb 2024 21:42:03 GMT https://community.cisco.com/t5/wireless/802-1x-ad-mac-filtering-via-ise/m-p/5514230#M305613 aleabrahao 2024-02-20T21:42:03Z https://community.cisco.com/t5/wireless/802-1x-ad-mac-filtering-via-ise/m-p/5514231#M305614 <P>If you have deployed Meraki Systems Manager on your corporate wireless assets, but not the employees personal devices, you can also filter on whether the Systems Manager agent is on the wireless device too.</P> Tue, 20 Feb 2024 22:14:42 GMT https://community.cisco.com/t5/wireless/802-1x-ad-mac-filtering-via-ise/m-p/5514231#M305614 jgbright 2024-02-20T22:14:42Z https://community.cisco.com/t5/wireless/802-1x-ad-mac-filtering-via-ise/m-p/5514232#M305615 <P>Another better solution is to give them internet access on a dedicated SSID (for example, the Guest SSID) for their personal devices.</P> Wed, 21 Feb 2024 10:56:08 GMT https://community.cisco.com/t5/wireless/802-1x-ad-mac-filtering-via-ise/m-p/5514232#M305615 Karsten Iwen 2024-02-21T10:56:08Z