02-21-2014 08:07 AM - edited 03-10-2019 09:26 PM
I am trying to figure a solution on wireless MAB authentication from WLC to ISE 1.2, the device MAC will be added to a identity group. I think now if that possible or the configuration that is needed for that to happen. I search the web on configuration guide fore wireless mab, but got nothing. Thanks for the help!
02-24-2014 10:39 AM
This might be useful.
02-24-2014 10:41 AM
To get around MAC spoofing you can use the profiler service to probe devices and get more information. There may already be an Endpoint Profile for AppleTVs, but I'm not sure. Anyway, at that point, you can use MAC filtering AND endpoint profiling to ensure that it really is an Apple TV.
02-24-2014 10:36 AM
Hmm, couldn't you create a new hidden (not for security reasons) WLAN and simply use the same interface or interface group as the WLAN with PSK enabled? Bearing in mind MAB is somewhat insecure compared to WPA/2 PSK
02-24-2014 10:58 AM
-jjohnston1127
The pofiler service is running on the ISE node. Apple iDevice are profiling correcting, I'll be sure to use that comeback. thanks
-wing_man
Yes that what I am thinking about hiding the SSID for the apple TV and MAB is somewhat insecure but i dont want users/vendors having to enter password for the AppleTV just to connect to the Wifi. I don't have a clue on Wireless yet, suppose to learn Wireless after I get my CCNP and NP security.
Thanks for the helpful tips
02-25-2014 01:40 AM
I agree with JJohnston. Definitely use profiling. But I would advise you isolate the Vlan from the rest of your LAN/Wireless networks using ACL's on your LAN network. Although both are good, they are still weak against someone less determined.
Generally we only hide wireless lans so that users don't get confused and try to access a WLAN which they're not supposed to. This shortens my logs considerably due to authentication errors.
02-25-2014 07:22 AM
Thanks, for the information and tips guys. Looks like this project is going to get terminate since we don't to change our
infrastructure layout and allow vendors to get access across WLANs.. Security is the main point here.. thanks again guys
02-25-2014 12:01 PM
With respect to the last point, obviously there is an essential need for an IP to be allocated to the guest prior to web authentication as the device needs to interact with the Guest portal, regardless if it is hosted on the ISE or the WLC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide