MAC auth with 802.1X, keeps asking for username and password

  • 1
  • Question
  • Updated 1 year ago
How to configure my SSID that it doesn't keep asking for username and password. Currently it is configured as WPA-802.1x. I have a cisco ise that does all the ruling and auth. What I want to achieve is this domain user => vlan 2, domain pc => vlan 3, mac in db => vlan 4, not registered => vlan 5. The first two are working like a charm. But I have no clue how to configure the last two, because of the password issue.
Photo of WagoL

WagoL

  • 5 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Dianne Dunlap

Dianne Dunlap

  • 75 Posts
  • 15 Reply Likes
I really doubt that this will work - if the SSID is configured for 802.1x, it will send a request for the username/password.  Why don't you set up a separate SSID with open/mac authentication?  You would have to enumerate the macs in the radius server to send attributes for vlan 4 as well as doing a mac wildcard to assign to vlan 5.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi,

Dianne is entirely correct.

When you configure MAC authentication on a WPA2-Enterprise/802.1X protected SSID, the MAC authentication is subsequent to 802.1X having completed.

Due to the way that 802.11 works, it is not conceptually possible to do what you want to.

You could offer a separate open SSID if you wished to only perform MAC authentication, but this would not be secure.

Thanks,

Nick
Photo of WagoL

WagoL

  • 5 Posts
  • 0 Reply Likes
If you have a lot of SSID's the users are confused and don't know which SSID to choose, this arises a lot of issues. It would be an easy fix.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi,

No vendor can do this. It is not possible due to the way that 802.11 is designed and works in this area.

Thanks,

Nick