Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4899
Views
0
Helpful
3
Replies

Is it possible to 802.1x MAB via WLC?

Go to solution
mscherting
Level 1
Level 1

‎08-18-2011 10:16 AM - edited ‎07-03-2021 08:35 PM

I'm looking for a way to enforce some degree of .1x machine authentication against AD for wireless devices which do not have a robust supplicant and/or cannot join AD.  We're using MAC Authentication Bypass (MAB) on the wired side, and a similar capability on wireless would be advantageous.

Can WLCs do MAB like a switch can?  Alternatives?  Ideas?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎08-18-2011 01:14 PM

MAB on wired works, because if the device can't do 802.1x, it can fall to another auth mech, and keep doing so, until it his the Guest profile. 

Wireless doesn't work quite the same way.  For 802.1x you'd want the profile to be built prior to connection, specifiying the EAP type, cert if one is used, as well as credentials, whether cached from login, or a specified set.  WLAN Supplicants can see a broadcasted SSID, and the user could click on it, to start to connect, but that could cause you more issues, than just using a GPO to push the wireless config, if they are domain devices.

As another option, I'd take a look at ISE.  Granted it's a seperate piece, but it allows  you to use device profiling,to determine what is connecting to the network, and then push policy as to what it has access to.

HTH,

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎08-18-2011 01:14 PM

MAB on wired works, because if the device can't do 802.1x, it can fall to another auth mech, and keep doing so, until it his the Guest profile. 

Wireless doesn't work quite the same way.  For 802.1x you'd want the profile to be built prior to connection, specifiying the EAP type, cert if one is used, as well as credentials, whether cached from login, or a specified set.  WLAN Supplicants can see a broadcasted SSID, and the user could click on it, to start to connect, but that could cause you more issues, than just using a GPO to push the wireless config, if they are domain devices.

As another option, I'd take a look at ISE.  Granted it's a seperate piece, but it allows  you to use device profiling,to determine what is connecting to the network, and then push policy as to what it has access to.

HTH,

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
mscherting
Level 1
Level 1
In response to Stephen Rodriguez

‎08-18-2011 01:52 PM

Thank you.

Funny you should mention ISE.  Our local Cisco reps are pushing it too, especially since ACS5.x doesn't work as advertised.

0 Helpful

Go to solution
csco
Level 1
Level 1
In response to mscherting

‎08-23-2012 06:56 AM

ISE is the way to go, when licensing is no option. You can use a variety of functions to secure your WLAN properly.

We used Username/Password in combination with a Whitelist to enable a select few with private devices on the network. Worked like a charm.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card