07-14-2021 02:34 PM
Hello,
I have a small network with a few WLC's each with multiple WLANs, as well as an ISE server. One of the SSID's I have is open, and I would like to authenticate it using ISE. All of the clients connecting to this network will have one of three different OUIs, (first 6 digits of the MAC), so I would like to set up authentication using that. Only clients with those three OUI's will be allowed, and all others will be blocked. I am fairly new to ISE and not sure where to start on this problem.
Thanks!
07-14-2021 03:19 PM
Don't you think is the security risk only "(first 6 digits of the MAC)" - why not have the full MAC address of the device and make Profiles.
any reason you can not do that, MAB only used if the supplicant can not be installed.
07-14-2021 03:35 PM
I considered that option. The problem with that is I have over 200,000 unique devices and that list is continuously growing, so I would have a massive list of devices that would continuously have to be updated. I realize this is not optimal from a security perspective, but individual mac filtering is not feasible.
07-15-2021 12:15 AM
Do you have any other layered authentication (like how we do BYOD).
07-15-2021 09:48 AM
No, I am just trying to authenticate by OUI.
07-15-2021 02:18 PM
It's your Governance and security policy of the business - technically works, but as I head up with security risk.
07-16-2021 09:37 AM
I appreciate the replies. Ignoring security risks for the moment, if you know how to implement partial mac authorization using ISE any help would be greatly appreciated.
07-15-2021 03:46 PM
Huge security with open SSID and only filtering on OUI, even if it's an isolated network. Maybe add some profiling? or switch to a PSK + OUI filtering?
07-16-2021 09:36 AM
Thank you for the reply, however, at this moment I am not worried about security. I am simply trying to figure out how to implement partial mac auth in the first place. If you know how any help would be greatly appreciated.
07-16-2021 10:18 AM - edited 07-16-2021 10:19 AM
If the business not worried much, you can carry and it works as expected.
example :
http://www.network-node.com/blog/2016/1/2/ise-20-profiling
07-16-2021 10:20 AM
My point is I do not know how to implement this, as in, I do not know how to configure ISE to do this.
07-17-2021 02:47 AM
the steps are clear in the document, if you are worried much, I would suggest hiring a consultant for the piece of work as a mini project
07-19-2021 09:17 AM
The steps may be clear to you, but they are not to me. That is why I am asking for help here. Which document are you referring to? Also, I do not have money to hire a consultant, which again is why I am asking for help here.
07-19-2021 09:58 AM
Couple of suggestions :
1. the document have clear steps : (spend some time read, and ask what steps it was not clearn) - the document also provide with screenshot - just like spoon feed.
example :
http://www.network-node.com/blog/2016/1/2/ise-20-profiling
if you not in a postion to hire consultant, then you need to spend time reading the documents understand and deploy and test it.
it required some understand, its not onself you can do 123 kinda.
time is value for every one, so we do best to support community (we do encourage people to learn and improve, at the same time we also learn here where possible).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide