Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1920
Views
0
Helpful
5
Replies

MAB in wireless with AireOS v8.5

Go to solution
norberto.padin
Level 1
Level 1

‎12-22-2017 06:32 AM - edited ‎07-05-2021 08:01 AM

Hello, how are you doing?

I was watching Jerome Henry's VoD from CLive Cancun 2017, BRKEWN-2005, in which during the video recording he hided slide 76 (which is present in the PDF). This slide talks about MAB. MAB in RJ-45 ports is well understood, but it is not clear to me how it works in wireless and under which L2 Security mechanisms. Does anybody has extra information or link about that? Thanks in advance and merry Christmas!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎12-22-2017 07:09 AM

Hi,

 

 Do you have ISE on your environment?  The way I know to enforce MAB on wireless network is using ISE.

 

 

 

-If I helped you somehow, please, rate it as useful.-

View solution in original post

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to norberto.padin

‎12-22-2017 09:12 AM

Yeah, if you intend to use different authentication method them you need to have more SSIDs. Cisco usually recommend a limit of 4 SSDIs but I´ve seen environments with more and working perfectly. The negative impact of more SSID is on the channel utilization due more management packets but in a well designed wireless network you can go beyond 4.

 

 

 

-If I helped you somehow, please, rate it as useful.-

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Flavio Miranda
VIP
VIP

‎12-22-2017 07:09 AM

Hi,

 

 Do you have ISE on your environment?  The way I know to enforce MAB on wireless network is using ISE.

 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Go to solution
norberto.padin
Level 1
Level 1
In response to Flavio Miranda

‎12-22-2017 07:11 AM

Yes, I have ISE.
So, if it is doable, please share links or documents about how to implement this.
Regards,
Nor.
0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to norberto.padin

‎12-22-2017 07:17 AM

Take a look here:

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

You can also look for videos on the LabMinute channel.

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Go to solution
norberto.padin
Level 1
Level 1
In response to Flavio Miranda

‎12-22-2017 09:04 AM

Thanks Flavio!

I was reading the doc and talks about Central Web Authentication, not MAC Authentication Bypass in Wireless.

The problem I have to solve is with IoT devices, in this case Smart TVs which need to gain internet access. Maybe MAB is not the right solution for this.

The customer will have the following scenario:

- Corporate network with WPA2 / ISE / AD / Certificates

- Guest access via WebAuth in ISE

- BYOD with onboarding with Certificates for corporate users with internet access only

- Wireless phones (8821 w/ CCM 11.5)

- IoT for Smart TVs with ISE Profiling and internet only access

The customer wants to simplify the BSSIDs by having as few of them as possible in order to maximize RF spectrum; and during a learning partner class, the instructor told them to use MAC Authentication Bypass. I know that in Ethernet, you can have a mix of authentication methods and ISE will figure it out, but in WiFi, I do not know if this can be done.

Do you think that the amount of BSSIDs can be minimized combining services? One more or less BSSIDs will not change to much the situation, will it?

Regards,

Nor.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to norberto.padin

‎12-22-2017 09:12 AM

Yeah, if you intend to use different authentication method them you need to have more SSIDs. Cisco usually recommend a limit of 4 SSDIs but I´ve seen environments with more and working perfectly. The negative impact of more SSID is on the channel utilization due more management packets but in a well designed wireless network you can go beyond 4.

 

 

 

-If I helped you somehow, please, rate it as useful.-

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card