Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2737
Views
0
Helpful
5
Replies

WLC 2504 add mac authentication

as00001111
Level 1
Level 1

‎11-22-2018 01:43 AM - edited ‎07-05-2021 09:29 AM

Hi all,

currently, we have a SSID where you have to type in a domain user and password. The WLC forwards that information to a Microsoft NPS. There are no problems with that.

Now I would like to add mac authentication, additional to username/password.

Can you tell me what I exactly need to configure on the wlc to make that happen?

Thank you!

Labels:
0 Helpful
5 Replies 5

Arne Bier
VIP
VIP

‎11-22-2018 02:03 PM

You can't mix 802.1X and MAB Auth on an SSID.  It only works in the wired world because the OSI Layer 1&2 is different in these two media.  In Wireless you cannot define an SSID to accept both methods because for 802.1X the client devices (supplicants) only do one thing - they only talk EAP methods (layer 2 protocols) and they expect an EAP response. And the AP/WLC is configured the same way - to expect EAP packets.  The WLC/Radius could theoretically take the MAC address from an EAP transaction (i.e. the outer Radius wrapper) and process it like MAB - BUT ... what's the point? Because the response to the NAS could cause the session to be authenticate, but the client won't be happy - client is expecting an EAP Success.  EAP is a long conversation and MAB auth is just two packets.  They are very different auth types.

In wired world this mix/match happens all the time because there is no SSID and the switch port config allows more than one type of connection.  Cable is plugged in?  OK - we have a link.  Great.  In wireless that step is not so easy.

 

 

0 Helpful

as00001111
Level 1
Level 1
In response to Arne Bier

‎11-22-2018 11:40 PM

The problem with the username/password auth is, that everyone can login with their private devices. They just have to type in username/password.

So I would like to allow only company's devices.

How can I accomplish that?

0 Helpful

Arne Bier
VIP
VIP
In response to as00001111

‎11-23-2018 12:14 AM

I have never tried this but if you are happy to enter all your company devices’ MAC addresses into an ISE Identity Group then you can add that check as part of the Authorization Rule. This might become a management nightmare. If the MAC address is added to the user’s AD account attribute then you could check there too. But means the user is tied to one and only one MAC address. EAP-PEAP is an ugly solution for BYOD.  Cert based auth is better. Push your company Certs onto company assets and then check for those. Deny anyone trying to auth using PEAP. 

0 Helpful

as00001111
Level 1
Level 1
In response to Arne Bier

‎11-23-2018 12:58 AM

OK so you would recommend to do a cert auth.

Can I use a Microsoft NPS for cert auth?

And is it possible to do a dynamic vlan assignment, based on different certs?

0 Helpful

Sathiyanarayanan Ravindran
Spotlight
Spotlight
In response to as00001111

‎04-12-2019 12:18 PM

Yes, It is possible on NPS.

 

Go through this docs for Dynamic Authorization using NPS on Cisco WLC

 

 

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card