This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I am trying to figure a solution on wireless MAB authentication from WLC to ISE 1.2, the device MAC will be added to a identity group. I think now if that possible or the configuration that is needed for that to happen. I search the web on configuration guide fore wireless mab, but got nothing. Thanks for the help!
To get around MAC spoofing you can use the profiler service to probe devices and get more information. There may already be an Endpoint Profile for AppleTVs, but I'm not sure. Anyway, at that point, you can use MAC filtering AND endpoint profiling to ensure that it really is an Apple TV.
Hmm, couldn't you create a new hidden (not for security reasons) WLAN and simply use the same interface or interface group as the WLAN with PSK enabled? Bearing in mind MAB is somewhat insecure compared to WPA/2 PSK
The pofiler service is running on the ISE node. Apple iDevice are profiling correcting, I'll be sure to use that comeback. thanks
Yes that what I am thinking about hiding the SSID for the apple TV and MAB is somewhat insecure but i dont want users/vendors having to enter password for the AppleTV just to connect to the Wifi. I don't have a clue on Wireless yet, suppose to learn Wireless after I get my CCNP and NP security.
Thanks for the helpful tips
I agree with JJohnston. Definitely use profiling. But I would advise you isolate the Vlan from the rest of your LAN/Wireless networks using ACL's on your LAN network. Although both are good, they are still weak against someone less determined.
Generally we only hide wireless lans so that users don't get confused and try to access a WLAN which they're not supposed to. This shortens my logs considerably due to authentication errors.
Thanks, for the information and tips guys. Looks like this project is going to get terminate since we don't to change our
infrastructure layout and allow vendors to get access across WLANs.. Security is the main point here.. thanks again guys
With respect to the last point, obviously there is an essential need for an IP to be allocated to the guest prior to web authentication as the device needs to interact with the Guest portal, regardless if it is hosted on the ISE or the WLC.