Re: Configuring WLC and ISE for IOT Device Authentication and VLAN Map

daria2 · ‎09-09-2023

We have Cisco WLC and ISE on our network infrastructure. Our goal is to authenticate and segregate various types of IOT devices (like barcode readers, HVAC systems, RFID readers, etc.) by mapping them to their respective VLANs while connecting to a single broadcasting SSID. We don't want to broadcast so many SSIDs.

Some devices support 802.1x and some don't.

Specifically, we want devices like HVAC systems to be placed in their own VLAN (e.g., HVAC VLAN) upon successful authentication. How would you do it and what is your process in your organization?

I would greatly appreciate any advice to help us accomplish this task effectively and securely.

Thanks in advance for your expertise!

10.0.0.0.1 192.168.1.254

ammahend · ‎09-09-2023

Have you considered iPSK, since some of devices do not support 802.1X.

-hope this helps-

Leo Laohoo · ‎09-09-2023

We have a rule-of-thumb in regards to "on boarding" wireless clients. And that is: Put mobile clients into wireless and cable up stationary clients.

The madness into this logic is because equipment manufacturers slap wireless chip into machineries so they can sell more. And when issue starts to appear with machineries in the wireless sphere, equipment manufacturers do not have technical team who have a good idea what the wireless NIC can/cannot do so it is easy for the manufacturers to blame the client's wireless network as a reason.

If the HVAC does not play nice with Dot1x, even with MAB, then be prepared for iPSK. If the HVAC still will not play nice with iPSK, cable it up.

Configuring WLC and ISE for IOT Device Authentication and VLAN Mapping