06-15-2023 05:45 AM
Hi Guys,
Any options if i can have one SSID on Cisco 5520 WLC which supports dot1X as well as MAB?
Actually we have issues in some devices where certificate can not be pushed and we want to connect same devices on same SSID throgh MAB.
06-15-2023 06:08 AM
Hi
This is the option you can have with one SSID. Considering 9800 WLC.
Layer 2 |
Layer 3 |
Supported |
MAB |
CWA |
Yes |
MAB |
LWA |
Yes |
MAB + PSK |
- |
Yes |
MAB + 802.1X |
- |
Yes |
MAB Failure |
LWA |
Yes |
802.1X |
CWA |
Yes |
802.1X |
LWA |
Yes |
PSK |
- |
Yes |
PSK |
LWA |
Yes |
PSK |
CWA |
Yes |
iPSK |
- |
Yes |
iPSK |
CWA |
Yes |
iPSK + MAB |
CWA |
Yes |
iPSK |
LWA |
No |
MAB Failure + PSK |
LWA |
No |
MAB Failure + PSK |
CWA |
No |
06-15-2023 06:25 AM
As I know mab + 802.1X both is l2 auth' but mab here is not use for auth it used for wlc to bulid connection database for this user.
Mab auth only without any other l2 auth need you add mac address to wlc or use extended server for mac.
06-15-2023 11:28 PM
I think @Noovi is asking if it's possible to replace dot1X with MAB due to the failed to push certificates on devices. I think you ar using EAP-TLS to perform computer authentication so that's why you want to filter them when connecting.
My recommendation is that you keep using dot1X, but instead of using certificate validation (EAP-TLS) on the RADIUS policies you use user credentials only (PEAP). Then if you want to add this "extra" layer of security to limit the connection to those specific devices using MAB you can do it.
06-16-2023 12:56 AM - edited 06-16-2023 12:57 AM
Short answer is No, you can enable both mac filtering and 802.1X on same SSID but means WLC need the mac address in its database for endpoint to perform 802.1X, its more of an AND option than OR option.
one option might be to have 2 separate SSID with same name and use mac filtering for one and 802.1X for another one, and when you are configuring your policy and wireless profile you can push correct profile to relevant devices or advertise the one with mac filtering in areas where you have devices not supporting cert .. you get the idea, it not the most traditional way, but its just an option if your device location and environment permits. Best it to have 2 seperate SSIDs or what JPavonM recommended.
06-18-2023 04:21 PM
Doing just this but needing to use 2 SSIDs
- iPSK for devices that dont support 802.1x (EAP-TLS/ PEAP)
- 802.1x for devices that do support it
Have default PSK to use in an onbaording workflow where they just get internet access to reach the MDM to provision the certificate, and iPSK policy for devices that dont support it to get correct VLAN assignment
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide