Cisco ISE 3.2 Wireless MAB authentication

absuizo14 · ‎10-08-2023

Greetings,

Is there a way or an app to test MAB auth without actually using a printer and just your laptop? and is it possible to have both 802.1x and MAB auth in one SSID?

Greg Gibbs · ‎10-08-2023

For testing RADIUS auth without an endpoint, see the RADIUS Simulation with ISE webinar

No, it is not possible to use MAB auth on an 802.1x SSID. An 802.1x secured SSID requires proper authentication.

absuizo14 · ‎10-09-2023

Went through the webinar but we only have windows devices and the one on the webinar that supports windows cant do wireless.

Arne Bier · ‎10-09-2023

Further to the MACOS tool mentioned by @Greg Gibbs , there is also a Linux equivalent that I use a lot - it's the Free radius radtool. It can send PAP/CHAP requests, which are perfect for MAB.

And in fact, it is possible to perform 802.1X and MAB in the same SSID - this is a bit esoteric, but I have done it on AireOS whereby the first authentication is 802.1X, and because MAC Filtering is enabled too, the WLC sends another request to ISE, which is a MAB request. So, this is a double authentication process. I can't remember why a customer needed this, but it was a genuine requirement. There could be other ways to restrict/control an 802.1X endpoint authentication via Calling-Station-ID (which is the MAC address).

absuizo14 · ‎10-09-2023

You have any detailed guide on how to do 802.1x and MAB in the same SSID?

Arne Bier · ‎10-10-2023

Hi @absuizo14

I found an old Community Posting where this was discussed. You take the regular 802.1X WLAN and enable MAC Filtering. At least, that's how it works on the AireOS WLC. The WLC then performs back-to-back authentications (802.1X and MAB) - the ISE Policy Set but be configured to process those MAB authentications.

I don't have any examples of this unfortunately. It should be something to test in a lab environment. Samuel Cardenas provides some high level guidance on what this might look like.