Wireless Access

We have 3600 controllers running 6.1.3.1, no ClearPass. My goal here is to create an SSID that is for medical equipment which does not belong to our AD domain and this equipment may not support methods such as certificates for machine authentication, so it needs to also support MAC authentication. So far I have built the Virtual AP that uses this new SSID profile and a MAC based AAA profile that uses the internal DB where I have placed my test machines MAC into. It also uses WPA2-PSK for network authentication and AES for encryption. So far this works just fine. I only want to use MAC authentication for those devices that don’t support certs, so now I want to add a cert to the list of authentication methods before MAC. What I am hoping to do here is that if a cert is on the machine it will authenticate and skip the MAC portion. If a cert is not on the machine it will fall through to the MAC portion to authenticate. If neither one matches then it is not allowed on. Is this possible or perhaps there is a better way to do this instead of a PSK? The machines will not be part of the AD domain, but the users do have accounts so perhaps it can be designed to use their AD account?

Thanks for your input!

No.

You cannot do PEAP or TLS AND PSK on the same WLAN.

OK, so scratch the PSK. What about PEAP or TLS with a fall through to MAC?

Is there a better way? Are there others out there with the need to support device types in one SSID that may not support the same authentication methods?

i believe that PEAP / TLS with fall back on MAC should be possible. all fall within the posibilties of WPA(2) enterprise / dot1x.

---

@11davie wrote:

OK, so scratch the PSK. What about PEAP or TLS with a fall through to MAC?

 

Is there a better way? Are there others out there with the need to support device types in one SSID that may not support the same authentication methods?

---

You will need a separate SSID for devices that only do PSK.