09-11-2019 01:47 PM
I've got 400 devices to connect to the wireless.
Have created a AD account, this will be used on all devices which is pushed out by management server from external company.
I don't have the MAC addresses for deices to Endpoint import, was looking at a policy to match username and mac address starts with **-**-**-**, but finding it difficult to find the correct field to match the mac address to.
Any ideas or a better solution, much appreciated, looking at certificate, but that is another dept.
cheers
Solved! Go to Solution.
09-11-2019 09:19 PM
Hi @craiglebutt
With wireless you have to be specific about how the devices associate to the WLAN
- PSK - ISE is not involved - basic pre shared key on the device
- iPSK - ISE is involved and this is still PSK on the device, but you can assign a unique PSK on each device, provided ISE has the MAC address of the device in its Identity Group - import them via .csv
- EAP-PEAP - this is what I think you're alluding to - each device has a supplicant that has to be configured to associate to the SSID doing enterprise WPA2 - you can use the same username/password for all 400 devices, but as Damien said, if the account gets locked out then all 400 devices share the same fate. It can work though - just create a service account in AD that can never be locked out - if you are concerned that this AD account will be abused by other devices, then that is a privacy/concern and there is not much you can do other than to keep that password as complex as possible and not tell anyone. Or you can tied some MAC filtering to this. The trick is to add all the MAC addresses into ISE, and then on the WLC, disable the NAC State option (if it says RADIUS/ISE, then change it to None). This will allow you to perform 802.1X and MAB - one after the other. If PEAP auth works, then MAB auth is next - both have to pass in order for the association to succeed.
09-11-2019 02:13 PM
09-11-2019 09:19 PM
Hi @craiglebutt
With wireless you have to be specific about how the devices associate to the WLAN
- PSK - ISE is not involved - basic pre shared key on the device
- iPSK - ISE is involved and this is still PSK on the device, but you can assign a unique PSK on each device, provided ISE has the MAC address of the device in its Identity Group - import them via .csv
- EAP-PEAP - this is what I think you're alluding to - each device has a supplicant that has to be configured to associate to the SSID doing enterprise WPA2 - you can use the same username/password for all 400 devices, but as Damien said, if the account gets locked out then all 400 devices share the same fate. It can work though - just create a service account in AD that can never be locked out - if you are concerned that this AD account will be abused by other devices, then that is a privacy/concern and there is not much you can do other than to keep that password as complex as possible and not tell anyone. Or you can tied some MAC filtering to this. The trick is to add all the MAC addresses into ISE, and then on the WLC, disable the NAC State option (if it says RADIUS/ISE, then change it to None). This will allow you to perform 802.1X and MAB - one after the other. If PEAP auth works, then MAB auth is next - both have to pass in order for the association to succeed.
09-12-2019 01:52 AM
Thanks both for replying both replies helped me to fix the issue.
I was trying to do it with out an endpoint database.
iPsk is next on my list once migrated old Access Points and can upgrade WLCs, which will help
cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide