Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1773
Views
20
Helpful
3
Replies

mac binding and 802.1x

dgaikwad
Level 5
Level 5

‎10-08-2021 11:01 AM

Hi Experts,

Is configuring mac binding and 802.1x together a good idea?
Has anyone done this kind of deployment earlier? Any side effects if these both are working together on the switch?
Also, can this be configured for Wireless network?

Also what are the use cases where this deployment would make sense?

3 Replies 3

Arne Bier
VIP
VIP

‎10-17-2021 01:23 PM

Hello

 

I used to believe that MAB and 802.1X were not possible for the same sessions (mutually exclusive). But you can indeed (at least I have done this with wireless SSID) combine the two. I can't recall which auth method the Cisco WLC performs first. I seem to recall it was 802.1X, followed by MAB. I have not had that use case but there was a question on the Community a long time ago where someone asked the question and I tested it.

Perhaps it could be considered an extra level of access control - I would not use "security" because MAB should never be considered secure. More like, "level of difficulty". Due to MAC randmomisation, I also don't believe that we should tie too much logic to MAC addresses. The MDM world has already moved on to UDID instead of MAC address because of randomisation.

 

dgaikwad
Level 5
Level 5
In response to Arne Bier

‎10-20-2021 05:44 AM

Yes, this makes sense why it should not be solely used for restricting access to the users.
But then in case of BYOD flow, if I am able to just require only one mac address per user, then in that case does the user device have a fixed mac address to be used for network access?
Or atleast the turn off mac randomization on their devices?

0 Helpful

Arne Bier
VIP
VIP
In response to dgaikwad

‎10-20-2021 02:46 PM

MAC randomization could throw a spanner in the works if the user ends up fiddling with the WLAN settings on the device (i.e. turn private MAC on/off) - in the case of Cisco BYOD onboarding the MAC address that was used at the time of onboarding is baked into the client certificate and you may wish to use that as an extra Authorization step in ISE. That is not MAB, and now I understand your question about "binding" the MAC to the supplicant authentication, by means of embedding it in the client certificate.  A better mechanism would be some kind of device serial or UDID which doesn't change and is unrelated to MAC address. This is already happening with MDM vendors (Microsoft Intune) and ISE 3.1 - hopefully other MDM vendors will do the same.

0 Helpful
Customers Also Viewed These Support Documents