Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
919
Views
0
Helpful
3
Replies

Best way to auth 400 devices with 1 AD account on ISE 2.2

Go to solution
craiglebutt
Level 4
Level 4

‎09-11-2019 01:47 PM

I've got 400 devices to connect to the wireless.

Have created a AD account, this will be used on all devices which is pushed out by management server from external company.

 

I don't have the MAC addresses for deices to Endpoint import, was looking at a policy to match username and mac address starts with **-**-**-**, but finding it difficult to find the correct field to match the mac address to.

 

Any ideas or a better solution, much appreciated, looking at certificate, but that is another dept.

cheers

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎09-11-2019 09:19 PM

Hi @craiglebutt 

 

With wireless you have to be specific about how the devices associate to the WLAN

- PSK - ISE is not involved - basic pre shared key on the device

- iPSK - ISE is involved and this is still PSK on the device, but you can assign a unique PSK on each device, provided ISE has the MAC address of the device in its Identity Group - import them via .csv

- EAP-PEAP - this is what I think you're alluding to - each device has a supplicant that has to be configured to associate to the SSID doing enterprise WPA2 - you can use the same username/password for all 400 devices, but as Damien said, if the account gets locked out then all 400 devices share the same fate.  It can work though - just create a service account in AD that can never be locked out - if you are concerned that this AD account will be abused by other devices, then that is a privacy/concern and there is not much you can do other than to keep that password as complex as possible and not tell anyone.  Or you can tied some MAC filtering to this.  The trick is to add all the MAC addresses into ISE, and then on the WLC, disable the NAC State option (if it says RADIUS/ISE, then change it to None).  This will allow you to perform 802.1X and MAB - one after the other.  If PEAP auth works, then MAB auth is next - both have to pass in order for the association to succeed.

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎09-11-2019 02:13 PM

You mention using a certificate, this would probably be a better choice. If you're using a traditional ad user account then a single device has the password entered incorrectly then it will lock the account out. This is still a risk with user certs, but less of an issue. Even using a management tool to push out the config, someone will try to do it manually who knows the password and make a mistake sooner or later.

As for building an authorization rule that contains a Mac address string, you're looking under the radius category, ex. "Radius:Calling-Station-ID starts with/contains 01:23:45:AB"
0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎09-11-2019 09:19 PM

Hi @craiglebutt 

 

With wireless you have to be specific about how the devices associate to the WLAN

- PSK - ISE is not involved - basic pre shared key on the device

- iPSK - ISE is involved and this is still PSK on the device, but you can assign a unique PSK on each device, provided ISE has the MAC address of the device in its Identity Group - import them via .csv

- EAP-PEAP - this is what I think you're alluding to - each device has a supplicant that has to be configured to associate to the SSID doing enterprise WPA2 - you can use the same username/password for all 400 devices, but as Damien said, if the account gets locked out then all 400 devices share the same fate.  It can work though - just create a service account in AD that can never be locked out - if you are concerned that this AD account will be abused by other devices, then that is a privacy/concern and there is not much you can do other than to keep that password as complex as possible and not tell anyone.  Or you can tied some MAC filtering to this.  The trick is to add all the MAC addresses into ISE, and then on the WLC, disable the NAC State option (if it says RADIUS/ISE, then change it to None).  This will allow you to perform 802.1X and MAB - one after the other.  If PEAP auth works, then MAB auth is next - both have to pass in order for the association to succeed.

 

 

0 Helpful

Go to solution
craiglebutt
Level 4
Level 4
In response to Arne Bier

‎09-12-2019 01:52 AM

Thanks both for replying both replies helped me to fix the issue.

I was trying to do it with out an endpoint database.

iPsk is next on my list once migrated old Access Points and can upgrade WLCs, which will help

 

cheers

0 Helpful
Customers Also Viewed These Support Documents