Security

Hi,

 

If I have two MAC authenticated networks, are the entries added into the endpoint repository differentiated at all? I am looking to have a two networks, A and B but I want each to have different expiration times. So users who onboard for SSID A have an expiration of say, a week, but users for SSID B have an expiration for say a year. And I don't want users who register on A to be able to then connect on B.

 

How does CPPM store onboarded MAC addresses like that and is there a way with attributes to differentiate them?

 

Thanks.

What type of authentication is being used?

Open network with MAC authentication.

 

SSID A would be MAC authentcation with allow all MAC, look for a valid MAC in the repository and active guest account. If false, would send back a role which launches a captive portal to register.

 

SSID B would be MAC authentication as well but would not be set for allow all MAC auths. It would look for an endpoint entry. If not found, would send back a user role to launch a captive portal with an AD over LDAPs login prompt. Upon successful authentication, the MAC would be added to the repository.

 

We're basically trying to get away from dot1x because of local password caching being an issue when users are forced to change their passwords (We're using EAP PEAP w/MSCHAPv2 right now). SSID A is a guest network, SSID B would be for staff. EAP-TLS is my preferred dot1x option, but I'm not sure if we're going to go in that direction at this time. 

You’d need to create custom endpoint attributes for each SSID.



Also, I would highly recommend that you go down the EAP-TLS path. MAC randomization is coming in full force in the next 12-18 months and will completely break these workflows that you’ve described.

Ahhh MAC randomization? Wonderful. Thanks for your help.