Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1522
Views
0
Helpful
4
Replies

Wireless 802.1x with MAB as fallback and FreeRadius

ciscoprolin
Level 1
Level 1

‎02-15-2019 12:09 AM - edited ‎07-05-2021 09:51 AM

Dear All,

with more and more IoT devices entering the market we need to design our wireless infrastructure

to accomodate IoT devices which support 802.1x but also devices which do not support 802.1x.

As the best practice is not to exceed the number of 4 SSIDs the ideal solution would look like one SSID only with 802.1x enabled and MAC filtering for MAB (MAC Authentication Bypass) for IoT devices not supporting 802.1x.

 

In the Cisco Switching world this is no problem at all but does anyone have experience how this can be handled in the Cisco Wireless world (with 8540 WLCs and release 8.5) ?

I know there is the new feature Identity PSK but this would also require a separate SSID for non-802.1x devices but how can both devices types be covered by 1 SSID ?

In other discussions it's stated that it should be possible (though not officially supported) with Cisco ISE as radius server but has anyone managed to implement 1 SSID with 802.1x and MAB for non-802.1x devices using FreeRadius as backend ?

 

Thanks and best regards,

Thorsten

Labels:
0 Helpful
4 Replies 4

Kasun Bandara
VIP
VIP

‎02-15-2019 01:07 AM

Hi,
you can do few checks, even i am not tried yes i can suggest below.

1 - enable MAC filtering for SSID and add MAC to whitelist in controller (not radius)
2 - select 802.1x for next step.

but i dont think you can use radius server for both 1x and MAB
Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB
0 Helpful

patoberli
VIP Alumni
VIP Alumni

‎02-18-2019 04:36 AM

Not using Freeradius for this, but I also think it's possible on ISE.
You'd need to do a chained policy, which first checks the MAC and if that one fails, do 802.1x. I'm not sure if FreeRadius is capable of this.
Another variant (if your FreeRadius is just a proxy for an Active Directory) might be this:
https://documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_MS_Switches
0 Helpful

ciscoprolin
Level 1
Level 1
In response to patoberli

‎02-18-2019 07:34 AM

Thanks for your appreciated reply. We are able to use FreeRadius in connection with the Identity PSK Feature offered by Cisco WLCs since release 8.5.

With the I-PSK we need to sacrifice a separate SSID (apart from 802.1x) that's why we're considering MAB for Wireless as an alternative to I-PSK.

With Cisco switches MAB is absolutely no problem but with the Cisco WLC we're not sure. Found another article in which it was stated it does not work with the WLC: https://community.cisco.com/t5/policy-and-access/wlc-mab-with-802-1x-authentication/m-p/3747331 .

We'll try to test it.

Thanks.

 

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to ciscoprolin

‎02-19-2019 08:07 AM

Yeah, wireless 802.1x and wired 802.1x are sadly not exactly the same thing. I hope it will work for you.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card