Thank you for your reply Jason.

I've setup an additional SSID to test the MAB with. Is it possible to have an SSID setup with both to do MAB and dot1x authentication?

I'm using this default rule and can see the rule getting hits so I know that rule is working.

I will take a look at the guides now, thank you for attaching them.

Thank you for your reply Jason.

I've setup an additional SSID to test the MAB with. Is it possible to have an SSID setup with both to do MAB and dot1x authentication?

I'm using this default rule and can see the rule getting hits so I know that rule is working.

I will take a look at the guides now, thank you for attaching them.

Thanks Arne.

I was under the impression that it would still follow the Authorisation rules (Hit MAB first and the if there are no authenticated MAC's go to 802.1X). However, it sounds like this isn't the case?

I've managed to get the MAB working on a separate SSID - I assume this is how it will have to be? One SSID for MAB and one SSID for 802.1X?

Hi @CA_HA

I can only speak about how the Cisco WLC works, since that is the one I understand the best.  The problem is that the WLC WLAN has to be set to be of a certain type/mode.  You cannot configure the WLAN profile to be MAB & 802.1X.   And when the WLAN is configured as 802.1X then it will only authenticate the client session if, and only if, the Radius server returns an EAP Success in the final Radius Access-Accept EAP payload.  If it doesn't, then the client session remains in 802.1X_REQD state, waiting for a miracle to happen.  So let's assume you have a wireless client that does not have a supplicant configuration.  In most cases it won't be able to even attempt to connect to the 802.1X SSID.  Windows 10 for example will try PEAP by default, but that is not MAC auth either.  The comms will break down due to things like TLS establishment failures etc.  You can't short circuit an EAP conversation. 

In wired world there is no requirement to have a supplicant in order to send an Ethernet frame to a switch port.  The switch (configured primarily for 802.1X will wait patiently for an EAPOL message, and also send EAPOL START frames - depending on your timers (say 30 seconds) this song and dance will lead nowhere and the switch will eventually give up.  And if you configured MAB as the next auth method, then the switch will pass on your Ethernet frame to the AAA for MAC authentication.  This concept does not work in the wireless domain because OSI Layer 1 and 2 work differently.

Having two SSIDs would do the trick - you can try cool stuff like Identity PSK on Cisco controllers where each wireless client can potentially have different pre-shared key depending on their MAC address.

Is it possible to have MAB on a PSK secured SSID? I guess that is the same issue. When the supplicant asks to  join an SSID he gets bounced back if he doesn't show the PSK right? 

Hi I have a question for the two SSID's.  For the MAB (open) SSID, are there any security risks that I should be aware of?  I know it is going to be broadcasting as an open SSID but the ACL's are done on the WLC with ISE pointing to them.

Thanks 

MAB authentication can be spoofed. That’s the security risk.

Your WLC should ensure that the ACL only allows a MAB client access to the allowed subjects. You would never use MAB to grant employee access. MAB used for guest redirection, and for devices that don’t have a supplicant and iPSK (on WLC). 
Think of MAB as “identifying the client by MAC address”. 

Thanks that's what I was thinking.  I am presently testing with iPSK and ISE.  It is mainly for IoT devices.  So far the tests have been successful.

---

@BrianPersaud wrote:

Thanks that's what I was thinking.  I am presently testing with iPSK and ISE.  It is mainly for IoT devices.  So far the tests have been successful.

---

nice, check out the iPSK manage on this page cs.co/ise-byod

Fantastic Guide thanks