Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
938
Views
0
Helpful
7
Replies

MAB equivalent for the wireless clients

Muhammed Adnan
Level 4
Level 4

‎05-12-2019 11:08 PM - edited ‎07-05-2021 10:23 AM

Hello Experts,

 

MAB  ==> For Wired Client only ==> If dot1x authentication fails, then Mac authentication is tried.

 

MAC Authentication Failover to 802.1X  ==> If mac authentication fails, then try dot1x authentication.

 

1. Is there not any MAB equivalent in wireless, wherein if dot1x authentication fails for wireless clients than MAB is tried?

 

2. If we enable mac authentication on a WLAN, will it consume any end point license from ISE?

 

MAC authentication.PNG

 

Labels:
0 Helpful
7 Replies 7

patoberli
VIP Alumni
VIP Alumni

‎05-13-2019 05:45 AM

1. I don't think that is possible on wireless.
2. No idea.
0 Helpful

Muhammed Adnan
Level 4
Level 4
In response to patoberli

‎05-14-2019 01:02 AM

Thanks Patoberli for the response.

 

Is MAC authentication with Radius for WPA2-PSK SSID even supported?

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Muhammed Adnan

‎05-14-2019 01:35 AM

Not that I know of, not without supplying a correct PSK.

You can use iPSK to have a custom PSK per MAC address, but that needs creating a policy per client(group).


0 Helpful

Sathiyanarayanan Ravindran
Spotlight
Spotlight

‎05-14-2019 02:26 AM

MAB and dot1.x can't be configure on the same SSID.

 

Please check the doc for IPSK Deployment Cisco WLC and ISE

 

 

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
0 Helpful

Muhammed Adnan
Level 4
Level 4
In response to Sathiyanarayanan Ravindran

‎05-14-2019 04:09 AM

Hi Ravindran,

 

Thanks for the response and the link.

 

I am not looking for dot1x and MAB on the same SSID.

 

The combination that I am looking out for is wpa2-psk + mac authentication via Radius.

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Muhammed Adnan

‎05-14-2019 04:59 AM

It's either PSK or 802.1x. Now with iPSK you have the possibility to have a different PSK per Mac address, this wasn't possible before.

What you could do, you can block / permit the specific mac addresses directly on the WLC, but that is usually a very bad idea (Mac addresses don't offer any security and can be cloned by everybody!!!).


0 Helpful

Sathiyanarayanan Ravindran
Spotlight
Spotlight
In response to Muhammed Adnan

‎05-14-2019 05:08 AM

Yes, That can be done.

 

You have to configure the SSID with WPA2+PSK and MAC filtering , In the AAA server you have to map the radius server which you want to use for MAB.

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card