cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
310
Views
0
Helpful
3
Replies
Enthusiast

Best way to auth 400 devices with 1 AD account on ISE 2.2

I've got 400 devices to connect to the wireless.

Have created a AD account, this will be used on all devices which is pushed out by management server from external company.

 

I don't have the MAC addresses for deices to Endpoint import, was looking at a policy to match username and mac address starts with **-**-**-**, but finding it difficult to find the correct field to match the mac address to.

 

Any ideas or a better solution, much appreciated, looking at certificate, but that is another dept.

cheers

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: Best way to auth 400 devices with 1 AD account on ISE 2.2

Hi @craiglebutt 

 

With wireless you have to be specific about how the devices associate to the WLAN

- PSK - ISE is not involved - basic pre shared key on the device

- iPSK - ISE is involved and this is still PSK on the device, but you can assign a unique PSK on each device, provided ISE has the MAC address of the device in its Identity Group - import them via .csv

- EAP-PEAP - this is what I think you're alluding to - each device has a supplicant that has to be configured to associate to the SSID doing enterprise WPA2 - you can use the same username/password for all 400 devices, but as Damien said, if the account gets locked out then all 400 devices share the same fate.  It can work though - just create a service account in AD that can never be locked out - if you are concerned that this AD account will be abused by other devices, then that is a privacy/concern and there is not much you can do other than to keep that password as complex as possible and not tell anyone.  Or you can tied some MAC filtering to this.  The trick is to add all the MAC addresses into ISE, and then on the WLC, disable the NAC State option (if it says RADIUS/ISE, then change it to None).  This will allow you to perform 802.1X and MAB - one after the other.  If PEAP auth works, then MAB auth is next - both have to pass in order for the association to succeed.

 

 

3 REPLIES 3
Highlighted
VIP Advocate

Re: Best way to auth 400 devices with 1 AD account on ISE 2.2

You mention using a certificate, this would probably be a better choice. If you're using a traditional ad user account then a single device has the password entered incorrectly then it will lock the account out. This is still a risk with user certs, but less of an issue. Even using a management tool to push out the config, someone will try to do it manually who knows the password and make a mistake sooner or later.

As for building an authorization rule that contains a Mac address string, you're looking under the radius category, ex. "Radius:Calling-Station-ID starts with/contains 01:23:45:AB"
VIP Advocate

Re: Best way to auth 400 devices with 1 AD account on ISE 2.2

Hi @craiglebutt 

 

With wireless you have to be specific about how the devices associate to the WLAN

- PSK - ISE is not involved - basic pre shared key on the device

- iPSK - ISE is involved and this is still PSK on the device, but you can assign a unique PSK on each device, provided ISE has the MAC address of the device in its Identity Group - import them via .csv

- EAP-PEAP - this is what I think you're alluding to - each device has a supplicant that has to be configured to associate to the SSID doing enterprise WPA2 - you can use the same username/password for all 400 devices, but as Damien said, if the account gets locked out then all 400 devices share the same fate.  It can work though - just create a service account in AD that can never be locked out - if you are concerned that this AD account will be abused by other devices, then that is a privacy/concern and there is not much you can do other than to keep that password as complex as possible and not tell anyone.  Or you can tied some MAC filtering to this.  The trick is to add all the MAC addresses into ISE, and then on the WLC, disable the NAC State option (if it says RADIUS/ISE, then change it to None).  This will allow you to perform 802.1X and MAB - one after the other.  If PEAP auth works, then MAB auth is next - both have to pass in order for the association to succeed.

 

 

Enthusiast

Re: Best way to auth 400 devices with 1 AD account on ISE 2.2

Thanks both for replying both replies helped me to fix the issue.

I was trying to do it with out an endpoint database.

iPsk is next on my list once migrated old Access Points and can upgrade WLCs, which will help

 

cheers