Security

Reply
Highlighted
Occasional Contributor I

Use 1 SSID for different types of authentication

I was wondering if it is possible in Clearpass to work with 1 SSID for Wireless, and follow some steps in Authentication, like first check if 802.11X works, then check if MAC is authenticated and as last resort offer a guest portal for registration if it is an unknown device.

Is this possible, or would you advise to work with 2 SSID. Thanks in advance!

Highlighted
MVP

Re: Use 1 SSID for different types of authentication

Its possible but what is the need to do this? 

 

But mac authentication would be done first and then 802.1x for the layer 2 aspect.

 

And the captive portal would be the layer 3 aspect of the authentication.

 

Again this is not recommended.

 

 

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Highlighted
Occasional Contributor I

Re: Use 1 SSID for different types of authentication

Thanks for your reply!

We're testing the possibilites with Clearpass to eventually implement in an existing network, and thought that it would be useful to have 1 Wireless SSID instead of 3 now. 

Is there a specific reason why you wouldn't recommend this method? 

Highlighted
MVP

Re: Use 1 SSID for different types of authentication

Let me explain,

 

Mac Auth - Authenticates the device with its mac

 

802.1x - Authenticates the wireless client (A client who has not received an IP Address yet)

 

Mac auth and 802.1x are Layer 2 authentication methods.

 

Captive portal - Authenticates the wireless user ( A client who has received an IP Address) - Layer 3 Authentication

 

A combination of Layer 3 and one layer 2 method is ideal and secure. Having more than that is not needed hence not recommended.

 

It just increases the time for a client to get inteded network access if the combination of all the three is used.

 

 

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Highlighted

Re: Use 1 SSID for different types of authentication

Just to make one thing clear. you can combine those authentication methods in one SSID but the client needs to pass all of them. If for example, the dot1x authentication fails the user will not be able to get to the captive portal. 


visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de
Highlighted

Re: Use 1 SSID for different types of authentication

I always advise to work with a 2 or 3 SSID network. Choose the SSID's based on the authentcation method, not based on the purpose of the SSID.

 

So 1 for each:

- 802.1X for employees

- PSK icm MAC-auth for devices

- Open SSD for guest (optional), or they can use the PSK network, the unknown devices will receive a captive portal to register/login, and the known devices are given a role on the network based on mac-auth in clearpass.



- - - - Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE - - - -
- - - - - - - Feel free to give kudos or accept as a solution! - - - - - - - - -
Highlighted

Re: Use 1 SSID for different types of authentication


@Fabian Klaring wrote:

I always advise to work with a 2 or 3 SSID network. Choose the SSID's based on the authentcation method, not based on the purpose of the SSID.

 

So 1 for each:

- 802.1X for employees

- PSK icm MAC-auth for devices

- Open SSD for guest (optional), or they can use the PSK network, the unknown devices will receive a captive portal to register/login, and the known devices are given a role on the network based on mac-auth in clearpass.


This is the recommendation and I always do it that way. Separate the SSID's based on the authentication method and separate users by roles. 


visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: