Solved: MAC filtering with Meraki and ISE

kshah2589 · ‎01-26-2024

Hello,

We are using Meraki access points and Cisco ISE in our environment and following are our requirements.

We have two sets of IOT devices in our environment, one which supports MAC address filtering, and the others which doesn't support the functionality and required a password to connect. however, we are looking for a solution in which we are creating a single SSID for both of these types of devices to connect.

Let me know if someone has solutions or suggestions.

Arne Bier · ‎01-27-2024

@kshah2589 - ISE can't inject a password into a user application interface. ISE talks RADIUS to the Meraki WAP and does what the Meraki WAP asks of it (e.g. check a MAC address, or perform 802.1X).

The only potential interaction with end devices would be an ISE guest portal - but that requires the IOT device to make a http request, which ISE will redirect to itself to present a guest portal. That's a http communication which in this case would be very difficult to mangle into something that would automatically perform a password login of the IOT device. Nah. This is an IOT issue that the IOT device must solve. Anything that requires human interactive actions is not AAA compatible.

View solution in original post

Arne Bier · ‎01-26-2024

What do you mean by "IOT device that supports MAC filtering" ? Where is this done ?

MAC filtering is applied on networking devices such as WLCs and switches (or, via ISE) - but if we are talking about ISE, then the wireless IOT device must connect to the network via some method such as PSK, 802.1X or open SSID. You can't mix and match PSK, 802.1X or open SSIDs.

kshah2589 · ‎01-27-2024

Thanks, Arne for reply and it is nice talking to you again.

I mean IoT devices like Samsung TVs/iPad/Roku devices that works well if we whitelist their MAC addresses. However, devices like sonos speakers/Videri displays doesn't work if we whitelist MAC addresses because they required password to connect.

correct we can't mix and match PSK, 802.1X or open SSIDs but we are looking for a solution by configuring single SSID to support both of devices by leveraging ISE. We are looking something like if devices are part of group A which can connect to SSID by whitelisting their MAC addresses and if devices are part of group B and their MAC addresses whitelisted, by configuring some kind of policy ISE throwback challenges to those devices to put password so they can able to connect.

Let me know if you have more questions.

Regards,

Kunal

Arne Bier · ‎01-27-2024

@kshah2589 - ISE can't inject a password into a user application interface. ISE talks RADIUS to the Meraki WAP and does what the Meraki WAP asks of it (e.g. check a MAC address, or perform 802.1X).

The only potential interaction with end devices would be an ISE guest portal - but that requires the IOT device to make a http request, which ISE will redirect to itself to present a guest portal. That's a http communication which in this case would be very difficult to mangle into something that would automatically perform a password login of the IOT device. Nah. This is an IOT issue that the IOT device must solve. Anything that requires human interactive actions is not AAA compatible.

kshah2589 · ‎01-28-2024

Thanks Arne for the explanation.

Do you have any other recommendations to solve this problem?

Regards,

Kunal

Arne Bier · ‎01-28-2024

Sonos is a consumer-grade product and trying to get these to connect to an Enterprise-grade secure network is bound to be a bit tricky. Perhaps another community forum has some advice on how to get around the password requirement.

kshah2589 · ‎01-30-2024

Thanks for help and all the suggestions.

we have handful devices not just the speaker's required password. The reason we are doing all exercises is because our organization end goal is to go password less for wireless authentication.

Regards,

Kunal