Wireless MAB authentication

Unanswered Question
Feb 21st, 2014
User Badges:

I am trying to figure a solution on wireless MAB authentication from WLC to ISE 1.2, the device MAC will be added to a identity group. I think now if that possible or the configuration that is needed for that to happen. I search the web on configuration guide fore wireless mab, but got nothing. Thanks for the help!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jjohnston1127 Fri, 02/21/2014 - 13:45
User Badges:
  • Silver, 250 points or more

You are on the right path.  You should create an endpoint identity group and put the MAC addresses into it. Then create an authorization policy that matches that identity group and assigns the appropriate authorization profile.


Optionally, if you use the profiler service and are sure your devices are getting mapped to the appropriate endpoint profile your rule can match that instead.

toua lor Fri, 02/21/2014 - 13:54
User Badges:

Thanks for the reply, I have almost everything setup from endpont identity to policy set. The thing I am still puzzle on is that my WLC is forward the device MAC as the identity which is great that was what I was aiming for, but I still have to type the password to get the device (Apple TV) onto the SSID. I want the device to be able to get on without a password, but just based on the MAC address while other device that connects to that SSID will be prompted for a login. Thanks 

Wing Man Mon, 02/24/2014 - 08:51
User Badges:

You will need to add the device to the Whitelist Group (which was created with ISE). You then need to add a rule to the authorization policy where devices found in the Whitelist are permitted access.


You will need a corresponding rule in the Authentication Policy which will simply pass MAB devices onto the 2nd stage (authorization Policy)

toua lor Mon, 02/24/2014 - 09:04
User Badges:

Thanks for the reply. Yes I have created authentication and authorization to associate with the identity that i have created for the whitelist devices. I am still stuck with entering the pass for the device to join the SSID, after joining the SSID the device's MAC is forwarded to ISE to be process. Just need to figure a away to join the SSID without entering the PSK, but by using the MAC of the device. I was told that the WLC can not do that kind of authentication by using mac of the device without being an open SSID. 

jjohnston1127 Mon, 02/24/2014 - 09:22
User Badges:
  • Silver, 250 points or more

You were told correctly.  Your WLAN either needs to be open authentication or secured with a PSK or 802.1x.  You cannot do both on the same SSID.


For an open network, you check the box on the layer 2 tab for "Mac Filtering" and that's about it.

Wing Man Mon, 02/24/2014 - 09:25
User Badges:

What does your Authentication log say, when you try to connect to the device to the network.


Shouldn't require a password. Your WLC -> WLAN for L2 and L3 security should be set to 'none'. Radiius servers set to your ISE. Have you got Central WebAuth set up on your WLC -> ISE?

jjohnston1127 Mon, 02/24/2014 - 09:28
User Badges:
  • Silver, 250 points or more

Wing Man - I believe what he's saying is that his problem is his WLAN is secured with a PSK and he wants to be able to do MAB authentication for certain devices.  The problem is the WLAN is secured with a PSK so the device is prompted for a password.


He will have to have an open WLAN if he wants to do MAB w/o a PSK.


Thanks.

toua lor Mon, 02/24/2014 - 09:55
User Badges:

Thanks for the help guys! I'll have to figure out a resoultion to this or terminate the project by going a different route. I really appreciate you guys for understanding the trouble I am going through.

Wing Man Mon, 02/24/2014 - 10:04
User Badges:

JJohnstons is quite right. You could create a open but hidden SSID just for this device going through ISE?

toua lor Mon, 02/24/2014 - 10:12
User Badges:

That's where the end user issues start kicking in, the device is an Apple TV. Users/vendors wants to connect to their iDevices to the  Apple TV unit to do presentation. Both users and Apple TV will have to be on the same WLAN/subnet inorder for that process to work. Management wants Apple TV to do MAB while requiring users/vendors to enter the PSK, I know that it can't happen or be preform either it one way or the other not both. So I am stuck working out the bugs. Thanks again guys

jjohnston1127 Mon, 02/24/2014 - 10:16
User Badges:
  • Silver, 250 points or more

Depending on the controller and version of code, you can actually turn on AirPlay functionality with Bonjour Gateway so the subnets will not matter anymore.  It's pretty painless to setup and works well across wired/wireless subnets.

toua lor Mon, 02/24/2014 - 10:24
User Badges:

-jjohnston1127

      Thanks I'll talk to my senior network engineers about that option today in our meeting. We are currently running

7.3 on the WLC. I am just afraid of the broadcast workload on the WLANs since Apple Bonjour only works within a single broacast domain.

     Thanks

jjohnston1127 Mon, 02/24/2014 - 10:25
User Badges:
  • Silver, 250 points or more

I believe 7.5 WLC code introduces Bonjour based on location services so it is aware of the devices connected via the surrounding APs.  They have done major improvements to the functionality.

toua lor Mon, 02/24/2014 - 10:35
User Badges:

Thanks, I'll talk to them about 7.5 for the WLC and see what they think about it. In theory, I would have two WLAN/SSID. The first WLAN/SSID will be open so I can authenticate my AppleTV with MAB ("potential mac spoofing" "Can't just be base on MAC only, need to be more secure" is what I am going to hear from the other team and I am suppose to care about security"), second WLAN/SSID is going to be PSK so users/vendors can join that, so they can present. My head is starting to hurt.

jjohnston1127 Mon, 02/24/2014 - 10:41
User Badges:
  • Silver, 250 points or more

To get around MAC spoofing you can use the profiler service to probe devices and get more information.  There may already be an Endpoint Profile for AppleTVs, but I'm not sure. Anyway, at that point, you can use MAC filtering AND endpoint profiling to ensure that it really is an Apple TV.

Wing Man Mon, 02/24/2014 - 10:36
User Badges:

Hmm, couldn't you create a new hidden (not for security reasons) WLAN and simply use the same interface or interface group as the WLAN with PSK enabled? Bearing in mind MAB is somewhat insecure compared to WPA/2 PSK

toua lor Mon, 02/24/2014 - 10:58
User Badges:

-jjohnston1127

The pofiler service is running on the ISE node. Apple iDevice are profiling correcting, I'll be sure to use that comeback. thanks


-wing_man

Yes that what I am thinking about hiding the SSID for the apple TV and MAB is somewhat insecure but i dont want users/vendors having to enter password for the AppleTV just to connect to the Wifi. I don't have a clue on Wireless yet, suppose to learn Wireless after I get my CCNP and NP security.


Thanks for the helpful tips

Wing Man Tue, 02/25/2014 - 01:40
User Badges:

I agree with JJohnston. Definitely use profiling. But I would advise you isolate the Vlan from the rest of your LAN/Wireless networks using ACL's on your LAN network. Although both are good, they are still weak against someone less determined.


Generally we only hide wireless lans so that users don't get confused and try to access a WLAN which they're not supposed to. This shortens my logs considerably due to authentication errors.

toua lor Tue, 02/25/2014 - 07:22
User Badges:

Thanks, for the information and tips guys. Looks like this project is going to get terminate since we don't to change our

infrastructure layout and allow vendors to get access across WLANs.. Security is the main point here.. thanks again guys

blenka Tue, 02/25/2014 - 12:01
User Badges:

With respect to the last point, obviously there is an essential need for an IP to be allocated to the guest prior to web authentication as the device needs to interact with the Guest portal, regardless if it is hosted on the ISE or the WLC.

Actions

This Discussion