Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
850
Views
0
Helpful
6
Replies

VLAN Steering and MAB authentication

Go to solution
Jim Blake
Level 1
Level 1

‎06-28-2022 02:11 PM

This question relates to a network of 9130 APs, managed by a 9800 WLC. I'm  trying to reduce the number of SSIDs being used in the network.

 

One of the reasons for having so many SSIDs is that there are several communities of wireless IoT devices that have no 802.1x capability, so must be authenticated using MAB. That would be fine, if all IoT devices needed to go into the same VLAN. However, there are families of devices, each one needing to be handled differently, so they are put I to different SSIDs/WLANs/VLANS, hence the high SSID count.

 

I'd like to use the ISE that handles 802.1x to do VLAN steering, so that I could use the same SSID, then steer client devices into different VLANs based upon their MAC address. I've  read about doing this with something called MyDevice Portal, but I haven't  found details on this, or if it's possible.

 

Can anyone say if what I propose is possible, and if so, point me at some documentation that will get me started

 

Thanks

 

Jim

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to Jim Blake

‎06-29-2022 11:41 PM

Yeah this is exactly what this could be used for, as long as the IoT device is capable of WPA2/AES with a PSK. 

It takes some additional ISE configuration though, because you need to create a profile for each VLAN you want to assign. 

In my opinion it would probably be better to put them all into the same VLAN and make sure that this VLAN is correctly isolated.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-28-2022 02:53 PM - edited ‎06-28-2022 02:54 PM

You can create profiles based on that you can give access permission: you can use vendor OUI (when you use MAB authentication)

 

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎06-28-2022 03:55 PM

Hi

 From the ISE side your challange is to identify the device you want to spread on the vlans. You can work with profile. On the WLC side, you need to enable "Allow AAA Override" on the WLC, advanced tab

 On the AP group, instead poniting the WLAN to a interface group, you need to point to a non-routable interface.  But, you need to add the vlan on the WLC under "CONTROLLER" and Interfaces.

0 Helpful

Go to solution
Jim Blake
Level 1
Level 1
In response to patoberli

‎06-29-2022 09:10 AM - edited ‎06-29-2022 09:11 AM

The IoT devices have no 802.1x supplicant, but lets assume they could handle iPSK. Can the ISE do VLAN steering based upon each different user/group's PSK? If that were possible, that could be a simple solution

Thanks

Jim

0 Helpful

Go to solution
patoberli
VIP Alumni
VIP Alumni
In response to Jim Blake

‎06-29-2022 11:41 PM

Yeah this is exactly what this could be used for, as long as the IoT device is capable of WPA2/AES with a PSK. 

It takes some additional ISE configuration though, because you need to create a profile for each VLAN you want to assign. 

In my opinion it would probably be better to put them all into the same VLAN and make sure that this VLAN is correctly isolated.

0 Helpful

Go to solution
Jim Blake
Level 1
Level 1
In response to patoberli

‎06-29-2022 09:11 AM - edited ‎07-03-2022 01:42 PM

That looks to be the way to go...I will lab it and see how it works. Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card