03-20-2021 10:08 PM - edited 07-05-2021 01:25 PM
I am using my AP in EWC mode. I am using Windows 2019 NPS as the AAA authority. I have set up admin (web & ssh) access and have set up 802.1x for one of my WLANs and it is working as expected. I would like to have a few WLANs that are restricted by mac address, but I don't want to use MAB if I have to leave the WPA authentication as "open". I've already tried it and I will use it if I have to, but it seems like a half-ass solution if I can't encrypt the session.
Are there better ways to work around this? My list of mac addresses to restrict a VERY small so I don't mind doing in the NPS security policies
03-20-2021 11:28 PM
03-21-2021 03:23 PM
For my environment, it's really only useful for a general use tablet and the lack of encryption makes it seem pointless. I was also not able to turn off SSID broadcasting, so I don't think I will use it.
I seem to remember applying a mac address acl to a wlan was extremely easy and intuitive on my old WLC2504. Less so in IOS-XE 17.4
Much easier to design NPS constraints that include mac addresses. As I said, my filter list is very small, so it is easy to script out, but for a larger community, I might try harder to set up a mac address acl.
03-21-2021 06:12 PM
Well I run WPA2/AES with PSK for my IoT devices and using a group that has all the mac address for that defined group. That is what you should do and don't worry about the mac address. I'm able to do this with Cisco ISE, because ISE collects device information that is sent to it for authentication. This I don't think it is possible with NPS, unless you create an OU with the mac address as the username and password (been a while since I did something like that, so don't know if that is still valid).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide