cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11003
Views
5
Helpful
21
Replies

Wireless MAB authentication

toua lor
Level 1
Level 1

I am trying to figure a solution on wireless MAB authentication from WLC to ISE 1.2, the device MAC will be added to a identity group. I think now if that possible or the configuration that is needed for that to happen. I search the web on configuration guide fore wireless mab, but got nothing. Thanks for the help!

21 Replies 21

jj27
Spotlight
Spotlight

You are on the right path.  You should create an endpoint identity group and put the MAC addresses into it. Then create an authorization policy that matches that identity group and assigns the appropriate authorization profile.

Optionally, if you use the profiler service and are sure your devices are getting mapped to the appropriate endpoint profile your rule can match that instead.

Thanks for the reply, I have almost everything setup from endpont identity to policy set. The thing I am still puzzle on is that my WLC is forward the device MAC as the identity which is great that was what I was aiming for, but I still have to type the password to get the device (Apple TV) onto the SSID. I want the device to be able to get on without a password, but just based on the MAC address while other device that connects to that SSID will be prompted for a login. Thanks 

You will need to add the device to the Whitelist Group (which was created with ISE). You then need to add a rule to the authorization policy where devices found in the Whitelist are permitted access.

You will need a corresponding rule in the Authentication Policy which will simply pass MAB devices onto the 2nd stage (authorization Policy)

Thanks for the reply. Yes I have created authentication and authorization to associate with the identity that i have created for the whitelist devices. I am still stuck with entering the pass for the device to join the SSID, after joining the SSID the device's MAC is forwarded to ISE to be process. Just need to figure a away to join the SSID without entering the PSK, but by using the MAC of the device. I was told that the WLC can not do that kind of authentication by using mac of the device without being an open SSID. 

You were told correctly.  Your WLAN either needs to be open authentication or secured with a PSK or 802.1x.  You cannot do both on the same SSID.

For an open network, you check the box on the layer 2 tab for "Mac Filtering" and that's about it.

What does your Authentication log say, when you try to connect to the device to the network.

Shouldn't require a password. Your WLC -> WLAN for L2 and L3 security should be set to 'none'. Radiius servers set to your ISE. Have you got Central WebAuth set up on your WLC -> ISE?

Wing Man - I believe what he's saying is that his problem is his WLAN is secured with a PSK and he wants to be able to do MAB authentication for certain devices.  The problem is the WLAN is secured with a PSK so the device is prompted for a password.

He will have to have an open WLAN if he wants to do MAB w/o a PSK.

Thanks.

Thanks for the help guys! I'll have to figure out a resoultion to this or terminate the project by going a different route. I really appreciate you guys for understanding the trouble I am going through.

JJohnstons is quite right. You could create a open but hidden SSID just for this device going through ISE?

That's where the end user issues start kicking in, the device is an Apple TV. Users/vendors wants to connect to their iDevices to the  Apple TV unit to do presentation. Both users and Apple TV will have to be on the same WLAN/subnet inorder for that process to work. Management wants Apple TV to do MAB while requiring users/vendors to enter the PSK, I know that it can't happen or be preform either it one way or the other not both. So I am stuck working out the bugs. Thanks again guys

Depending on the controller and version of code, you can actually turn on AirPlay functionality with Bonjour Gateway so the subnets will not matter anymore.  It's pretty painless to setup and works well across wired/wireless subnets.

-jjohnston1127

      Thanks I'll talk to my senior network engineers about that option today in our meeting. We are currently running

7.3 on the WLC. I am just afraid of the broadcast workload on the WLANs since Apple Bonjour only works within a single broacast domain.

     Thanks

I believe 7.5 WLC code introduces Bonjour based on location services so it is aware of the devices connected via the surrounding APs.  They have done major improvements to the functionality.

Thanks, I'll talk to them about 7.5 for the WLC and see what they think about it. In theory, I would have two WLAN/SSID. The first WLAN/SSID will be open so I can authenticate my AppleTV with MAB ("potential mac spoofing" "Can't just be base on MAC only, need to be more secure" is what I am going to hear from the other team and I am suppose to care about security"), second WLAN/SSID is going to be PSK so users/vendors can join that, so they can present. My head is starting to hurt.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: