cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7823
Views
15
Helpful
6
Replies

ISE 2.1 802.1X and MAC filtering

samuel.cardenas
Level 1
Level 1

Hi,

we have an SSID with more or less this configuration:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/201044-802-1x-authentication-with-PEAP-ISE-2-1.html

802.1X validated with an Identity Group user (Internal users)

 

We want to permit access only a devices that are included in a Identity group endpoint (a MAC address list).

How can add a policy to validate this point in my actual configuration?

 

Thanks in advance.

Samuel

1 Accepted Solution

Accepted Solutions

I found the solution:

In the controler SSID select MAC filtering.

authentication rules:

 

1- 802.1x and use:AD

2-MAB and use: indentity endpoint

 

in authorization:

1 rule: Identity: AD and 802.1x

2 rule: Identity: Identity group endpoint and condition MAB

result both the same.

 

the first process, as I select the MAC filtering in the controller, are the rules with MAB, and later use the 802.1x.

if one of them fails. can't access!! :)

 

thanks!! :)

View solution in original post

6 Replies 6

Arne Bier
VIP
VIP

Interesting question

There is no easy way to do this as far as I know.

if you had the users in AD, then you could perhaps have an AD user object (e.g. macAddr)  that contained the MAC address, and then in your Authorization Policy you could try an AND rule that looks something like:

 

MY_AD macAddr EQUALS Radius Calling-Station-Id

 

No idea if that will work.

 

 

I found the solution:

In the controler SSID select MAC filtering.

authentication rules:

 

1- 802.1x and use:AD

2-MAB and use: indentity endpoint

 

in authorization:

1 rule: Identity: AD and 802.1x

2 rule: Identity: Identity group endpoint and condition MAB

result both the same.

 

the first process, as I select the MAC filtering in the controller, are the rules with MAB, and later use the 802.1x.

if one of them fails. can't access!! :)

 

thanks!! :)

Did you set this up in your lab? How does the controller do MAB and 802.1X on the same wlan profile? I didn’t know it was possible to mix the two auth methods. 

yes, not in lab, in production. is a new SSID.

the SSID is a WPA2 entreprise, so is 802.1x, but if you select MAC Filtering in the SSID (security) the controller first send the authentication/authorization for the MAC, and later the 802.1x.

Is working fine.

:)

I just tried this on our Cisco virtual controller (8.5.131.0) and I had to turn off the Radius NAC in the WLAN in order for MAB to be enabled at the same time.   And yes this is pretty amazing - thanks for pointing this out.  I am wondering what this Radius NAC setting does ...  ? Because we just blindly set this according to all the docs ... now 802.1X and MAB work just fine without it.  I think I am about to learn something new ... do you have any clues what this is for?

 

8021x.PNG

 

NACoff.png

this works great, can you explain the work process on the ISE/WLC?
eg user enter username/password on laptop.
un/pw info + wifi mac pass to WLC -> ISE

ISE authencticate first on authentication rule1? then rule2? then authoriation rule 1 rule2?
would you please explain on above?

thanks
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: