Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

802.1x with MAB defaulting to MAB?

Hello,

I have a wlan configured on my 5508 with WPA2/802.1x, and I have my radius server's configured to accept connections from clients using EAP-TLS certificates.  This is working well.

I do however have a couple of devices that do not support EAP-TLS, and some that just don't support any 802.1x configuration.   I enabled mac filtering on the SSID, and expected it to use 802.1x if applicable, and if it fails, then use mac filtering and present the mac address as the username and password to the radius server for authentication.

Is this not how it works?

What I found that happened is it only wanted to use mac filtering for authentication, and not EAP-TLS.

Any suggestions?

Everyone's tags (4)
5 REPLIES

Hi Dan, as per maldehne in

Hi Dan,

 

as per maldehne in the following discussion, the check for the MAC address must be first then if it is not a mac filtering it will then check the EAP:

https://supportforums.cisco.com/discussion/11765316/cisco-acs-53-mac-authentication-users-wireless

 

btw, what is your RADIUS server?

For MAC authentication to succeed you need to check the internal hosts (if you use ACS 5.x and you must have the MAC address of your clients added there.

 

HTH

 

Amjad

 

Rating useful replies is more useful than saying "Thank you"
Community Member

So we must add 3000 mac

So we must add 3000 mac addresses first in order for this to work?  This is an impossible amount of work to manage and maintain.

Can we change it so it does EAP first and then mac address authentication?

The radius server is FreeRadius.

Dan.

You have to add MAC addresses

You have to add MAC addresses for devices that does not support EAP only. You don't have to add MAC addresses for all devices.

The scenario maldehne is describing is never tested by me personally. in switch port dot1x authentication, it will go for MAB after dot1x authentication not working. (i.e. after EAP it then tries the MAB). I am still a little bit confused about MAC authentication enabled with a dot1x WLAN. I understand that the client must support EAP and its MAC must be in the RADIUS well. However, maldehne; the TAC engineer is saying that's not the case.

 

If I were you I would try to put two different rules in the radius server; one for EAP and one for MAC auth. first one should be EAP. the devices that do not initiate EAP will not match first rule and will go for the second rule which is the MAC auth. (not sure how that is applicable with freeradius. another test can also be to collect all MAC addresses that do not support EAP and add them to a radius rule where it checks the MAC list and if its within the list it just send access-accept, if not it will direct it for normal EAP authentication.)

 

note that most of the trick is done on the radius server, not on the WLC.

 

HTH

 

Amjad

Rating useful replies is more useful than saying "Thank you"
Community Member

This sounds interesting.I did

This sounds interesting.

I did open up a tac case and they told me that I would have to setup another wlan for devices that did not support 802.1x/EAP.

Do you know if the wlc will send mac authentication or eap authentication information first?

Can this be done with windows radius servers?  Have you done this?

Dan.

Community Member

It looks like the 5700 series

It looks like the 5700 series wlc can do flexible authentication order:

 

http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/security/configuration_guide/b_sec_3se_5700_cg/b_sec_1501_3850_cg_chapter_01110.html#ID3869

 

I have a 5500 series controller and I can't seem to find any option like this.

 

Dan.

389
Views
0
Helpful
5
Replies
CreatePlease to create content