Security

Reply
Highlighted
Contributor I

MAB wifi + user AD lookup

Hello everyone,

 

I'm currently a bit stuck here. Our standard wifi users can connect without any problem, based on EAP-TLS. Users have a certificate and thanks to an AD attribute they are directed into a certain vlan. We use CISCO AP's and ISE for them, and for a certain SSID's it's redirected to CPPM for authentication. So far, so good.

 

Now for non-standard users (-in our case- Androids, Apple, Linux and others) things seems to be a bit more difficult. I tried to put their MAC addresses into a MAB. But it seems as if those devices cannot to this because they have to choose a security structure (e.g. WPA2 with EAP-TLS)

 

What I ideally want is that such users can connect to the wifi, put their AD credentials in and are redirected into their proper VLAN.

Is what I tried to do the correct way, or do I have to work with the guest portal (because self-registration doesn't seem to do the trick neither)?


Any suggestions are welcome, and if you have a nice how-to somewhere, that would be great


Accepted Solutions
Highlighted
MVP Expert

Re: MAB wifi + user AD lookup

You can use the same 802.1X SSID you currently use for your devices using TLS
Your ClearPass service will need to allow PEAP and defined the Guest Device Repository (GDR) as an authorization source , add those devices to GDR .

You can create a policy that only allow devices that have been registered in the device registration portal + successful PEAP auth






Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

View solution in original post


All Replies
Highlighted
MVP Expert

Re: MAB wifi + user AD lookup

How is the SSID configured ? Open with Mac Filtering ?
So the plan is that the user is authenticated via captive portal authentication (after they provide their AD credentials) and then device MAC address is cache for a period of time ?



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Contributor I

Re: MAB wifi + user AD lookup

I tried to use the same SSID as we use for our standard devices (devices with certificates), so with WPA2 enterprise and EAP-TLS.
I don't really have a plan right now But the goal is to allow certain company owned devices (without certificates) on the network without any time boundaries or other.  I tried to allow them based on their MAC address without captive portal or self-registration and I'm trying to figure out whether this is the right approach or not. 
We do have the self-registration in place but a lot of our non-standard devices aren't supported, so that is not really a solution.

Highlighted
MVP Expert

Re: MAB wifi + user AD lookup

Do you want to only allow certain devices based on the MAC address but the device needs to perform 802.1X/PEAP?



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Contributor I

Re: MAB wifi + user AD lookup

Yes indeed.
We are talking about non-managed devices, so we can not put a certificate on them.

I assume I'll have to create a new SSID with different security settings such as EAP/PEAP?

Highlighted
MVP Expert

Re: MAB wifi + user AD lookup

You can use the same 802.1X SSID you currently use for your devices using TLS
Your ClearPass service will need to allow PEAP and defined the Guest Device Repository (GDR) as an authorization source , add those devices to GDR .

You can create a policy that only allow devices that have been registered in the device registration portal + successful PEAP auth






Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

View solution in original post

Highlighted
Contributor I

Re: MAB wifi + user AD lookup

Ok, I'm following thus far, and configured the service for accepting GDR. But how can I obtain a successful PEAP authentication? Can I link this to a user-password combination in the AD? 

Highlighted
MVP Expert

Re: MAB wifi + user AD lookup

Configure your service to use 802.1X and AD as your authentication source , enable authorization and add AD and GDR as your authorization sources .





Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Contributor I

Re: MAB wifi + user AD lookup

I'll try to implement this Monday morning, testusers already left for the weekend.
Thanks for your inputs!!

Highlighted
Contributor I

Re: MAB wifi + user AD lookup

Hi Victor,

 

That worked! Thanks for your help.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: