cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

6971
Views
5
Helpful
21
Replies
Highlighted
Beginner

Wireless MAB authentication

I am trying to figure a solution on wireless MAB authentication from WLC to ISE 1.2, the device MAC will be added to a identity group. I think now if that possible or the configuration that is needed for that to happen. I search the web on configuration guide fore wireless mab, but got nothing. Thanks for the help!

21 REPLIES 21
Highlighted

Highlighted

To get around MAC spoofing you can use the profiler service to probe devices and get more information.  There may already be an Endpoint Profile for AppleTVs, but I'm not sure. Anyway, at that point, you can use MAC filtering AND endpoint profiling to ensure that it really is an Apple TV.

Highlighted

Hmm, couldn't you create a new hidden (not for security reasons) WLAN and simply use the same interface or interface group as the WLAN with PSK enabled? Bearing in mind MAB is somewhat insecure compared to WPA/2 PSK

Highlighted

-jjohnston1127

The pofiler service is running on the ISE node. Apple iDevice are profiling correcting, I'll be sure to use that comeback. thanks

-wing_man

Yes that what I am thinking about hiding the SSID for the apple TV and MAB is somewhat insecure but i dont want users/vendors having to enter password for the AppleTV just to connect to the Wifi. I don't have a clue on Wireless yet, suppose to learn Wireless after I get my CCNP and NP security.

Thanks for the helpful tips

Highlighted

I agree with JJohnston. Definitely use profiling. But I would advise you isolate the Vlan from the rest of your LAN/Wireless networks using ACL's on your LAN network. Although both are good, they are still weak against someone less determined.

Generally we only hide wireless lans so that users don't get confused and try to access a WLAN which they're not supposed to. This shortens my logs considerably due to authentication errors.

Highlighted

Thanks, for the information and tips guys. Looks like this project is going to get terminate since we don't to change our

infrastructure layout and allow vendors to get access across WLANs.. Security is the main point here.. thanks again guys

Highlighted
Participant

With respect to the last point, obviously there is an essential need for an IP to be allocated to the guest prior to web authentication as the device needs to interact with the Guest portal, regardless if it is hosted on the ISE or the WLC.

Content for Community-Ad