11-13-2012 07:00 AM - edited 03-10-2019 07:46 PM
Hi,
I am looking for some input about how to profile and authorize non-802.1x devices. These devices are mostly barcode scanners connecting wireless with WPA/2. I am not sure how to authenticate them in ISE.
We have two scenarios.
1) LAP/WLC with several SSID/VLAN where the devices authenticate with WPA/2.
2) Autonomous AP with several SSID/VLAN where the devices authenticate with WPA/2.
There is a posibility to authenticate them on OUI, but I would like to have atleast another condition. Is it possible to use the WPA PSK?
For the second scenario; is it possible to use autonomus AP and ISE? Barcode scaners need to go to one VLAN and other non802.1x devices to another. My guess is that the config should be somewhat similar to a switch, regarding AAA/RADIUS.
Have anyone set up ISE with non802.1x devices? What/How did you do?
Regards
Philip
11-13-2012 02:45 PM
Ive added a local username in ISE and configured all scanners with that username.
Ive also created an authorization rule:
If username = scanner-user = allow access ( u can try set the vlan)
I have a separate ssid/interface on wlc for this purpose :). Cuz when radius nac is selected bridges and other things dont connect.
Sent from Cisco Technical Support iPhone App
11-13-2012 03:37 PM
There are several ways you can do this with one of them being mentioned in the post above. You can also use MAB (Mac Authentication Bypass) by manually entering MAC addresses in ISE or utilize automatic/dynamic profiling.
MAB:
Profiling:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_prof_pol.html
Thank you for rating!
11-14-2012 12:25 AM
edondurquti: That's a smart way to solve the problem. I'll see if that is possible here.
Neno: I have read throught before I posted this, but didn't find a way to solve it smoothly. It is over 4000 devices so adding them manualy is not an option, importing them from a csv might be possible, but since they get replaced a lot due to malfunction an automatic solution is prefered. I have looked at the probes but not found anything good and uniqe beside OUI.
Anyone got a take on autonomus AP and ISE? Is there a guide on how to make it work?
11-14-2012 01:13 AM
With that many devices that change often, profiling is the way to go. For that you need the Advanced license. In profiling you can match on the OUI and in addition you can use the SSID in your rules. The SSID is communicated in the RADIUS-Attributes.
The question with anonymous APs was discussed some times in the past. And sadly no one was aware af an AP that would work.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-14-2012 09:17 AM
I've quickly tried to authenticate against ISE with Autonomous AP
No luck, maybe there is a work around but haven't tried as hard or there might not be:
Failure Reason > Authentication Failure Code Lookup | ||
| ||
Generated on:November 14, 2012 11:11:46 AM CST | ||
| ||
|
11-14-2012 10:08 AM
Perhaps a silly question but did you add the AP as a AAA client in ISE? Also, what does the AP config look like?
11-14-2012 10:10 AM
You mean as network devices with radius key?
11-14-2012 10:13 AM
I am sorry I was thinking of ACS terms ... Yes, did you ad the AP as a NAD in ISE
11-14-2012 10:15 AM
Yes I did
Sorry took off the AP, as I said i tried it quickly and there might be a workaround.
Thank you.
11-14-2012 10:19 AM
No worries, I am probably going to try to lab that out too but it might be a while as I am traveling a lot at the moment.
11-14-2012 10:20 AM
Great, let us know if you get it working
Thank you.
11-19-2012 12:30 AM
I'll try adding autonomous AP too when I have some spare time.
Another question regarding non-802.1x devices:
Is it possible to make a condition that match on IP adress where the fourth octet is .10-15? We have some devices with static IP that we can match on together with MAC. I cant seem to find a good solution with Operator and Attribute Value that will work.
11-20-2012 04:03 PM
I have never used this before but you can probably use the "Framed-IP-Address" under the "Radius" attributes
Thank you for rating!
11-21-2012 01:03 AM
The problem isn't the attribute but how to use it. I can't find a way to use wildcards.
This works:
But when adding a wildcard it doesn't work:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide