11-22-2018 01:43 AM - edited 07-05-2021 09:29 AM
Hi all,
currently, we have a SSID where you have to type in a domain user and password. The WLC forwards that information to a Microsoft NPS. There are no problems with that.
Now I would like to add mac authentication, additional to username/password.
Can you tell me what I exactly need to configure on the wlc to make that happen?
Thank you!
11-22-2018 02:03 PM
You can't mix 802.1X and MAB Auth on an SSID. It only works in the wired world because the OSI Layer 1&2 is different in these two media. In Wireless you cannot define an SSID to accept both methods because for 802.1X the client devices (supplicants) only do one thing - they only talk EAP methods (layer 2 protocols) and they expect an EAP response. And the AP/WLC is configured the same way - to expect EAP packets. The WLC/Radius could theoretically take the MAC address from an EAP transaction (i.e. the outer Radius wrapper) and process it like MAB - BUT ... what's the point? Because the response to the NAS could cause the session to be authenticate, but the client won't be happy - client is expecting an EAP Success. EAP is a long conversation and MAB auth is just two packets. They are very different auth types.
In wired world this mix/match happens all the time because there is no SSID and the switch port config allows more than one type of connection. Cable is plugged in? OK - we have a link. Great. In wireless that step is not so easy.
11-22-2018 11:40 PM
The problem with the username/password auth is, that everyone can login with their private devices. They just have to type in username/password.
So I would like to allow only company's devices.
How can I accomplish that?
11-23-2018 12:14 AM
I have never tried this but if you are happy to enter all your company devices’ MAC addresses into an ISE Identity Group then you can add that check as part of the Authorization Rule. This might become a management nightmare. If the MAC address is added to the user’s AD account attribute then you could check there too. But means the user is tied to one and only one MAC address. EAP-PEAP is an ugly solution for BYOD. Cert based auth is better. Push your company Certs onto company assets and then check for those. Deny anyone trying to auth using PEAP.
11-23-2018 12:58 AM
OK so you would recommend to do a cert auth.
Can I use a Microsoft NPS for cert auth?
And is it possible to do a dynamic vlan assignment, based on different certs?
04-12-2019 12:18 PM
Yes, It is possible on NPS.
Go through this docs for Dynamic Authorization using NPS on Cisco WLC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide