How to support non 802.1x devices on a corotate network

Alex-Pr · ‎10-26-2021

Hey there,

I am looking to get devices that don't support 802.1x online preferably by using something like MAC filtering without adding another WLAN. We currently have a 802.1x network where a radius server is providing the authorization.

For IOT devices and other things, we use a vlan overwright to put these devices on the vlan we want for isolation. This works great for devices that support 802.1x.

What is the best way to do this for devices that don't support 802.1x??

We are running 5520 WLC's802.1x, WLC, IOT, Wireless LAN Controller, Wireless Security

Thank you,

A

balaji.bandi · ‎10-26-2021

If you can not do 802.1x supplicant, either you isolate them to a different VLAN or do MAB Authentication only option you have.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arshad Safrulla · ‎10-26-2021

I would say to get the best level of security I would suggest combine MAB+iPSK. You can have Dynamic VLAN assignment based on the PSK. If your Radius server allows you to profile and do posture, then you can look at adding tht option as well.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/wlan_security.html

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Scott Fella · ‎10-26-2021

My opinion is you create a new ssid and don’t try to get a workaround on your dot1x as you will creating an opening for access which security folks would flag. Like what Arshad mentioned, look at ipsk if you want to have multiple psk’s or simplify it and create an ssid with a psk.

-Scott
*** Please rate helpful posts ***