ISE and non-802.1x devices

Philip Vilhelmsson · ‎11-13-2012

Hi,

I am looking for some input about how to profile and authorize non-802.1x devices. These devices are mostly barcode scanners connecting wireless with WPA/2. I am not sure how to authenticate them in ISE.

We have two scenarios.

1) LAP/WLC with several SSID/VLAN where the devices authenticate with WPA/2.

2) Autonomous AP with several SSID/VLAN where the devices authenticate with WPA/2.

There is a posibility to authenticate them on OUI, but I would like to have atleast another condition. Is it possible to use the WPA PSK?

For the second scenario; is it possible to use autonomus AP and ISE? Barcode scaners need to go to one VLAN and other non802.1x devices to another. My guess is that the config should be somewhat similar to a switch, regarding AAA/RADIUS.

Have anyone set up ISE with non802.1x devices? What/How did you do?

Regards

Philip

edondurguti · ‎11-13-2012

Ive added a local username in ISE and configured all scanners with that username.
Ive also created an authorization rule:
If username = scanner-user = allow access ( u can try set the vlan)
I have a separate ssid/interface on wlc for this purpose :). Cuz when radius nac is selected bridges and other things dont connect.

Sent from Cisco Technical Support iPhone App

nspasov · ‎11-13-2012

There are several ways you can do this with one of them being mentioned in the post above. You can also use MAB (Mac Authentication Bypass) by manually entering MAC addresses in ISE or utilize automatic/dynamic profiling.

MAB:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html

Profiling:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_prof_pol.html

Thank you for rating!

Philip Vilhelmsson · ‎11-14-2012

edondurquti: That's a smart way to solve the problem. I'll see if that is possible here.

Neno: I have read throught before I posted this, but didn't find a way to solve it smoothly. It is over 4000 devices so adding them manualy is not an option, importing them from a csv might be possible, but since they get replaced a lot due to malfunction an automatic solution is prefered. I have looked at the probes but not found anything good and uniqe beside OUI.

Anyone got a take on autonomus AP and ISE? Is there a guide on how to make it work?

Karsten Iwen · ‎11-14-2012

With that many devices that change often, profiling is the way to go. For that you need the Advanced license. In profiling you can match on the OUI and in addition you can use the SSID in your rules. The SSID is communicated in the RADIUS-Attributes.

The question with anonymous APs was discussed some times in the past. And sadly no one was aware af an AP that would work.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

edondurguti · ‎11-14-2012

I've quickly tried to authenticate against ISE with Autonomous AP

No luck, maybe there is a work around but haven't tried as hard or there might not be:

Failure Reason > Authentication Failure Code Lookup

Failure Reason :

11036 The Message-Authenticator RADIUS attribute is invalid

Generated on:November 14, 2012 11:11:46 AM CST

Description
The Message-Authenticator RADIUS attribute is invalid. This maybe because of mismatched Shared Secrets.

Resolution Steps
Check whether the Shared Secrets on the AAA Client and ISE Server, match. Ensure that the AAA Client and the network device, have no hardware problems or problems with RADIUS compatibility. Also ensure that the network that connects the device to the ISE, has no hardware problems.

nspasov · ‎11-14-2012

Perhaps a silly question but did you add the AP as a AAA client in ISE? Also, what does the AP config look like?

edondurguti · ‎11-14-2012

You mean as network devices with radius key?

nspasov · ‎11-14-2012

I am sorry I was thinking of ACS terms ... Yes, did you ad the AP as a NAD in ISE

edondurguti · ‎11-14-2012

Yes I did

Sorry took off the AP, as I said i tried it quickly and there might be a workaround.

Thank you.

nspasov · ‎11-14-2012

No worries, I am probably going to try to lab that out too but it might be a while as I am traveling a lot at the moment.

edondurguti · ‎11-14-2012

Great, let us know if you get it working

Thank you.

Philip Vilhelmsson · ‎11-19-2012

I'll try adding autonomous AP too when I have some spare time.

Another question regarding non-802.1x devices:

Is it possible to make a condition that match on IP adress where the fourth octet is .10-15? We have some devices with static IP that we can match on together with MAC. I cant seem to find a good solution with Operator and Attribute Value that will work.

nspasov · ‎11-20-2012

I have never used this before but you can probably use the "Framed-IP-Address" under the "Radius" attributes

Thank you for rating!

Philip Vilhelmsson · ‎11-21-2012

The problem isn't the attribute but how to use it. I can't find a way to use wildcards.

This works:

But when adding a wildcard it doesn't work: