Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11137
Views
5
Helpful
21
Replies

Wireless MAB authentication

toua lor
Level 1
Level 1

‎02-21-2014 08:07 AM - edited ‎03-10-2019 09:26 PM

I am trying to figure a solution on wireless MAB authentication from WLC to ISE 1.2, the device MAC will be added to a identity group. I think now if that possible or the configuration that is needed for that to happen. I search the web on configuration guide fore wireless mab, but got nothing. Thanks for the help!

Labels:
0 Helpful
21 Replies 21

Wing Man
Level 1
Level 1
In response to toua lor

‎02-24-2014 10:39 AM

This might be useful.

https://supportforums.cisco.com/thread/2145539

0 Helpful

jj27
Spotlight
Spotlight
In response to toua lor

‎02-24-2014 10:41 AM

To get around MAC spoofing you can use the profiler service to probe devices and get more information.  There may already be an Endpoint Profile for AppleTVs, but I'm not sure. Anyway, at that point, you can use MAC filtering AND endpoint profiling to ensure that it really is an Apple TV.

0 Helpful

Wing Man
Level 1
Level 1
In response to toua lor

‎02-24-2014 10:36 AM

Hmm, couldn't you create a new hidden (not for security reasons) WLAN and simply use the same interface or interface group as the WLAN with PSK enabled? Bearing in mind MAB is somewhat insecure compared to WPA/2 PSK

0 Helpful

toua lor
Level 1
Level 1
In response to Wing Man

‎02-24-2014 10:58 AM

-jjohnston1127

The pofiler service is running on the ISE node. Apple iDevice are profiling correcting, I'll be sure to use that comeback. thanks

-wing_man

Yes that what I am thinking about hiding the SSID for the apple TV and MAB is somewhat insecure but i dont want users/vendors having to enter password for the AppleTV just to connect to the Wifi. I don't have a clue on Wireless yet, suppose to learn Wireless after I get my CCNP and NP security.

Thanks for the helpful tips

0 Helpful

Wing Man
Level 1
Level 1
In response to toua lor

‎02-25-2014 01:40 AM

I agree with JJohnston. Definitely use profiling. But I would advise you isolate the Vlan from the rest of your LAN/Wireless networks using ACL's on your LAN network. Although both are good, they are still weak against someone less determined.

Generally we only hide wireless lans so that users don't get confused and try to access a WLAN which they're not supposed to. This shortens my logs considerably due to authentication errors.

0 Helpful

toua lor
Level 1
Level 1
In response to Wing Man

‎02-25-2014 07:22 AM

Thanks, for the information and tips guys. Looks like this project is going to get terminate since we don't to change our

infrastructure layout and allow vendors to get access across WLANs.. Security is the main point here.. thanks again guys

0 Helpful

blenka
Level 3
Level 3

‎02-25-2014 12:01 PM

With respect to the last point, obviously there is an essential need for an IP to be allocated to the guest prior to web authentication as the device needs to interact with the Guest portal, regardless if it is hosted on the ISE or the WLC.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents