Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3372
Views
10
Helpful
13
Replies

ISE+WLC Partial MAC Address Authentication

r3kr4p
Level 1
Level 1

‎07-14-2021 02:34 PM

Hello,

 

I have a small network with a few WLC's each with multiple WLANs, as well as an ISE server. One of the SSID's I have is open, and I would like to authenticate it using ISE. All of the clients connecting to this network will have one of three different OUIs, (first 6 digits of the MAC), so I would like to set up authentication using that. Only clients with those three OUI's will be allowed, and all others will be blocked. I am fairly new to ISE and not sure where to start on this problem.

 

Thanks!

0 Helpful
13 Replies 13

balaji.bandi
Hall of Fame
Hall of Fame

‎07-14-2021 03:19 PM

Don't you think is the security risk only "(first 6 digits of the MAC)"  - why not have the full MAC address of the device and make Profiles.

 

any reason you can not do that,  MAB only used if the supplicant can not be installed.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

r3kr4p
Level 1
Level 1
In response to balaji.bandi

‎07-14-2021 03:35 PM

I considered that option. The problem with that is I have over 200,000 unique devices and that list is continuously growing, so I would have a massive list of devices that would continuously have to be updated. I realize this is not optimal from a security perspective, but individual mac filtering is not feasible.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to r3kr4p

‎07-15-2021 12:15 AM

Do you have any other layered authentication (like how we do BYOD).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

r3kr4p
Level 1
Level 1
In response to balaji.bandi

‎07-15-2021 09:48 AM

No, I am just trying to authenticate by OUI.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to r3kr4p

‎07-15-2021 02:18 PM

It's your Governance and security policy of the business  - technically works, but as I head up with security risk.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

r3kr4p
Level 1
Level 1
In response to balaji.bandi

‎07-16-2021 09:37 AM

I appreciate the replies. Ignoring security risks for the moment, if you know how to implement partial mac authorization using ISE any help would be greatly appreciated.

0 Helpful

littleyoda
Level 1
Level 1

‎07-15-2021 03:46 PM

Huge security with open SSID and only filtering on OUI, even if it's an isolated network. Maybe add some profiling? or switch to a PSK + OUI filtering?

0 Helpful

r3kr4p
Level 1
Level 1
In response to littleyoda

‎07-16-2021 09:36 AM

Thank you for the reply, however, at this moment I am not worried about security. I am simply trying to figure out how to implement partial mac auth in the first place. If you know how any help would be greatly appreciated.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to r3kr4p

‎07-16-2021 10:18 AM - edited ‎07-16-2021 10:19 AM

If the business not worried much, you can carry and it works as expected.

 

example :

http://www.network-node.com/blog/2016/1/2/ise-20-profiling

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

r3kr4p
Level 1
Level 1
In response to balaji.bandi

‎07-16-2021 10:20 AM

My point is I do not know how to implement this, as in, I do not know how to configure ISE to do this.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to r3kr4p

‎07-17-2021 02:47 AM

the steps are clear in the document, if you are worried much, I would suggest hiring a consultant for the piece of work as a mini project

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

r3kr4p
Level 1
Level 1
In response to balaji.bandi

‎07-19-2021 09:17 AM

The steps may be clear to you, but they are not to me. That is why I am asking for help here. Which document are you referring to? Also, I do not have money to hire a consultant, which again is why I am asking for help here.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to r3kr4p

‎07-19-2021 09:58 AM

Couple of suggestions :

 

1. the document have clear steps : (spend some time read, and ask what steps it was not clearn) - the document also provide with screenshot - just like spoon feed.

 

example :

http://www.network-node.com/blog/2016/1/2/ise-20-profiling

 

if you not in a postion to hire consultant, then you need to spend time reading the documents understand and deploy and test it.

it required some understand, its not onself you can do 123 kinda.

 

time is value for every one, so we do best to support community (we do encourage people to learn and improve, at the same time we also learn here where possible).

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents