Solved: Re: Is it possible to configure WIRELESS 802.1x and MAB Authentication on same (SINGLE) SSID on ISE...

prashantk · ‎07-30-2018

Hi,

We have a recently installed a WLC 5520, ISE 2.3 and Prime Infrastructure on UCS 220 Server.

Now 802.1x is not supporting the devices like MI, Huawei , Samsung S8 (specifically Android version > 6 not connecting) , even Macbook latest version is not connected through 802.1x wireless even they have 802.1x enable. Cisco partner said it's a client side issue. Is there anything wrong while configuring the ISE and WLC 5520??

802.1x is implemented with protocol like PEAP and MSCHAPv2 with RADIUS server for authentication but out of 10 client devices 6 are not getting connected through 802.1x.

So cisco partner implemented MAB via guest Portal with new SSID.

Now my question is, can we implement the Wifi network in such a way that, if client is not get WLAN access through 802.1x, he will be automatically redirected to MAB on same SSID (I mean single SSID not on MAB SSID or Guest SSID)??

Secondly, can we bind the client device MAC addresses in ISE itself instead of DHCP server so that authorize users can get access through 802.1x protocol? How?

Thirdly, can we configured the different rule for different groups to use internet and intranet with single SSID on WLC and ISE? how?

Your Suggestion is highly appreciated as our partner is running away from our requirement and we are stuck in the middle of project.

Thanks in advance.

prashant..

prashantk · ‎08-13-2018

Issue resolved..
After latest version upgrade all devices are connecting seamlessly on dot1X.
Thanks all of you for all your kind supports.
regards,
Prashant..

View solution in original post

Cory Peterson · ‎07-30-2018

To answer your first question: You cannot have a single SSID for 802.1x and MAB, the Wireless controller cannot have an SSID that has two different methods of Authentication.

Client Failing Auth: There are several different issues that could cause the endpoints to not connect to the wireless, do you have any authentication logs from ISE for the failing devices? Please share those logs. There should be no reason to have these devices on MAB/Guest access if you want to allow them to login with their Domain Credentials/Username and password on 802.1x

Second: You can setup an Endpoint group in ISE to add the MACs to but I would not recommend this as it can become very cumbersome to manage.

Third: You can configure authorization rules that will put a user in a different VLAN or to use a different Airespace ACL on Wireless once they authenticate. This can be based on many different items in ISE like the AD group they below to.

But please share some of the failure logs from ISE.

prashantk · ‎07-30-2018

Hi Cory,

Thanks for your response and valuable time.

I am sending you the ISE logs FOR different devices over 802.1X and MAB as well.

1) For BB10 devices i am getting connected through 802.1x and MAB and able acces internet as well.

2) for Huawei-honor and MI device i am not getting connected on client device through 802.1X but ISE log shows device successfully connected. On these devices not able to access internet either. Device continuously looking for ip address ie. no internet, IP address. Same on MAB as well. Wi- Fi connectivity is flapping continuously on these devices.

I have attached the ISE logs of all three devices here for your reference,

Thanks in advance.

Regards

Prashant

craiglebutt · ‎07-31-2018

Depends on your code on the WLC.

Think it is 8.5 where it allows you to use different auth methods. Not tested my self s can't upgrade to that firmware yet.

prashantk · ‎07-31-2018

Hi Craig,
Thanks for your reply.

IT IS Version 8.5.0.131 WLC AIR-5520. could you pls elaborate "code on the WLC " mean in more details. can understand what you mean exactly.
regards,
Prashant

craiglebutt · ‎07-31-2018

Hi

Think this is what I've read. Might help

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html

Cory Peterson · ‎07-31-2018

This feature allows Private PSK or a PSK per user/device. It allows the same SSID to have different Pre-Shared Keys. This will still not allow you to mix MAB and dot1x on the same SSID.

prashantk · ‎08-01-2018

we already have RADIUS server configured in our network, so how can i authenticate and authorize the user with by using iPSK with device MAC binding through it. is it possible this way? if it then how can we configured the policy and rules? any suggestion will be appreciated.
thanks.

Cory Peterson · ‎07-31-2018

ISE side looks like it is working, you may want to focus on the Wireless Controller side of it. You will most likely need to run some debugs on the controller side. I would suggest opening a TAC case to look deeper in to the Controller and verify it is accepting the RADIUS messages that are being sent.

Also, on the devices, be sure that there are no driver/software updates for the phones.

prashantk · ‎08-13-2018

Issue resolved..
After latest version upgrade all devices are connecting seamlessly on dot1X.
Thanks all of you for all your kind supports.
regards,
Prashant..

Is it possible to configure WIRELESS 802.1x and MAB Authentication on same (SINGLE) SSID on ISE?