03-17-2017 12:39 AM - edited 03-11-2019 12:33 AM
Hi!
I do have to migrate some of our SSID into 1 single SSID. To give you brief background about the setup:
1. We currently have 5 ssid(ex ss1,ss2,ss3,ss4,ss5) different vlans for each. all clients that are connecting to the said ssid cannot support dot1.x and they are currently using PSK for security.
2. We will need to migrate those 5 ssid into 1 single ssid ( ex.newssid), use dynamic vlans and integrate it with cisco ISE.
3. since those devices doesn't support the 802.1x, is it possible to use PSK for the authc and integrate it with ISE with dynamic filtering and MAC Add filtering?
Thanks!
03-17-2017 02:12 AM
You can use MAB with Endpoint Groups, for example: the devices that connected to SSID1 input in Endpoint Group 01 and you can configure a policy authorization with this group on the condition and the dynamic VLAN in result
03-17-2017 09:55 AM
Hi,
you can use one PSK for newssid (on 8.3+ code only), have it configured on all wireless endpoints and then use ISE authorization profile to override WLC interface (VLAN) based on ISE endpoint info (endpoint group, MAC address, profiling, etc.).
Here is document about WPA-PSK and RADIUS (NAC):
http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn83.html#31794
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-3/config-guide/b_cg83/b_cg83_chapter_0100111.html#d49566e8409a1635
Let me know if you need more info.
03-19-2017 11:28 PM
Hi Mile,
Thanks for your reply.
As I checked, it will be needed to have a CWA.
For my requirements,
- the PSK and MAC Filtering should be handled by the WLC - Currently working and I can connect to the SSID.
- ISE will be the one who will authorize and provide the dynamic vlan assignment.
the problem is, whenever I connect to the SSID, I cannot see logs on ISE.
how do you guys configure a Authc policy on ISE for the SSID that has PSK security and handled by the WLC?
Thank you.
03-20-2017 08:11 AM
Hi, it's very simple:
In your scenario, you will not see anything on the ISE because all authentication is done locally via WLC. Of course ISE will not be aware of that
CWA is using MAC filtering to provide authentication via Web Portal for unknow MACs. You can still use ISE to do mac-filtering, but you create policies to be matched based on known MAC address instead of CWA result.
CWA is used to identify unknown PCs, guest access, etc, but even on wireless, you can "whitelist" all devices that do not have web-browsers, like Printers, Roku and Chrome players, projectors, etc. It's same concept for you.
.
So, you should use PSK on the WLC, then RADIUS NAC and ISE as RADIUS server for MAC address filtering, configure policies for Wireless MAB do not use CWA in your policies, just create policies that will assign specific Endpoint group (pre-filled with known MACs) to specific VLANs.
03-20-2017 11:14 PM
As I read on cisco docs and I also want it to confirm, CWA is more likely needs to have a splash page/portal right?
03-21-2017 05:14 AM
Again, you are not using CWA. CWA is portal for authentication based on username/password and requires splash-page and user intervention.
You can use Wireless MAB to do MAC filtering and VLAN assignment, no need to use CWA at all.
03-21-2017 06:53 PM
Oh very sorry, missed it.
Since the PSK is on WLC, the policy that I should create is on the authorization?
Here's the steps that I made.
- Since there is a upper policy for Wired and Wireless MAB and will use Internal Endpoints, when I do connect to the SSID, It should hit that policy right?
- I created a Endpoint group with the specific MAC Address Inside.
- I created a Authz policy for that Endpoint group
When I connect to the SSID, Since it will hit the first Authentication Policy which is MAB, it should reflect on the Authentications right? but so far I cannot see my MAC address on the Authentications.
03-22-2017 04:38 AM
You need to configure SSID to use RADIUS NAC.
Also, on L2 security it should be MAC filtering
On L3 security, make sure you add your ISE servers.
Make sure ISE servers have WLC as AAA Client
Make sure pre-shared key is the same.
There could be multiple reasons why you don't see your MAC address in ISE logs, but it should't be related with your policy configuration.
If policy is wrong, you still should see MAC address, but it would be denied or wrong authorization profile would be applied, but 99% chance is that MAC address will be in the logs.
If you do not see MAC address in the ISE Logs, it's either there is no good communication between WLC and ISE, or WLC is not sending RADIUS requests to ISE...
03-22-2017 11:45 PM
For radius nac, It's on the NAC State then select RADIUS NAC right?
Got some problem enabling it since when I enable it, it says
"Radius NAC is available only for WLANs that are configured for 802.1x/wpa/wpa2 layer 2 security or open Auth + MAC Filtering
When I use 802.1x it goes fine. but the requirement is it should be PSK not 802.1x
For the L2 Security, its alrady WPA+WPA2 but still cant use RADIUS NAC as the NAC State
03-23-2017 04:47 AM
Hi,
as I mentioned WLC 8.3 or newer train (if exists) is required for this. Previous releases of WLC code do not support RADIUS NAC and PSK.
05-01-2018 05:20 PM
Hi Mile, we have the same issue with trying to use Radius and PSK with WLC prior version to 8.3. I understand that this is a bug. My question is, if we decide to use Radius NAC without PSK (Open Auth), does that mean our traffic is unencrypted?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide