02-15-2019 12:09 AM - edited 07-05-2021 09:51 AM
Dear All,
with more and more IoT devices entering the market we need to design our wireless infrastructure
to accomodate IoT devices which support 802.1x but also devices which do not support 802.1x.
As the best practice is not to exceed the number of 4 SSIDs the ideal solution would look like one SSID only with 802.1x enabled and MAC filtering for MAB (MAC Authentication Bypass) for IoT devices not supporting 802.1x.
In the Cisco Switching world this is no problem at all but does anyone have experience how this can be handled in the Cisco Wireless world (with 8540 WLCs and release 8.5) ?
I know there is the new feature Identity PSK but this would also require a separate SSID for non-802.1x devices but how can both devices types be covered by 1 SSID ?
In other discussions it's stated that it should be possible (though not officially supported) with Cisco ISE as radius server but has anyone managed to implement 1 SSID with 802.1x and MAB for non-802.1x devices using FreeRadius as backend ?
Thanks and best regards,
Thorsten
02-15-2019 01:07 AM
02-18-2019 04:36 AM
02-18-2019 07:34 AM
Thanks for your appreciated reply. We are able to use FreeRadius in connection with the Identity PSK Feature offered by Cisco WLCs since release 8.5.
With the I-PSK we need to sacrifice a separate SSID (apart from 802.1x) that's why we're considering MAB for Wireless as an alternative to I-PSK.
With Cisco switches MAB is absolutely no problem but with the Cisco WLC we're not sure. Found another article in which it was stated it does not work with the WLC: https://community.cisco.com/t5/policy-and-access/wlc-mab-with-802-1x-authentication/m-p/3747331 .
We'll try to test it.
Thanks.
02-19-2019 08:07 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: