Lab Minutes Forum

Technical Discussion => Security => Topic started by: bhatsy on April 25, 2014, 12:18:08 PM

Title: Radius based MAC address Authentication with WLAN Controller and ISE
Post by: bhatsy on April 25, 2014, 12:18:08 PM
Hi I wanted to see if I can get some help here. I am trying to Interoperate my WLAN Controller (Non Cisco) with Cisco ISE.

The scenario is as follows.
The Controller is sending RADIUS request with username= MAC address of the supplicant and password is "APC shared secret".
I have this MAC address configured as part of Internal Users on ISE.  I have verified that Shared secret between my Controller and ISE is same on both sides. I still get an authentication failure as below can some suggest what might be happening here ?

Steps
  11001 Received RADIUS Access-Request
  11017 RADIUS created a new session
  15049 Evaluating Policy Group
  15008 Evaluating Service Selection Policy
  15006 Matched Default Rule
  15041 Evaluating Identity Policy
  15006 Matched Default Rule
  15013 Selected Identity Source - Internal Endpoints
  24209 Looking up Endpoint in Internal Endpoints IDStore - 00:26:C6:30:52:84
  24211 Found Endpoint in Internal Endpoints IDStore
  22040 Wrong password or invalid shared secret
  22057 The advanced option that is configured for a failed authentication request is used
  22061 The 'Reject' advanced option is configured in case of a failed authentication request
  11003 Returned RADIUS Access-Reject
Title: Re: Radius based MAC address Authentication with WLAN Controller and ISE
Post by: MC on April 25, 2014, 04:45:26 PM
Could you confirm if the MAC address was added as a User Identity or Endpoint Identity and if you are using the corresponding Identity store for your authentication policy?
Title: Re: Radius based MAC address Authentication with WLAN Controller and ISE
Post by: bhatsy on April 27, 2014, 06:34:01 PM
Well as you can see ISE found the MAC address in the ID Store.

  24209 Looking up Endpoint in Internal Endpoints IDStore - 00:26:C6:30:52:84
  24211 Found Endpoint in Internal Endpoints IDStore
Title: Re: Radius based MAC address Authentication with WLAN Controller and ISE
Post by: MC on April 28, 2014, 12:00:43 AM
Have you tried using User Identity instead of Endpoint Identity? I do not recall being able to configure a password for an Endpoint.
Title: Re: Radius based MAC address Authentication with WLAN Controller and ISE
Post by: bhatsy on April 28, 2014, 06:50:50 PM
When you enter the endpoint identity it only allows you to enter a MAC address.

My question is do you have any videos which show how to configure Cisco WLC with a WLAN which does WPA2 802.1x & Radius based MAC filtering. Its kind of a 2 factor authententication.So only "Whitelisted" MAC addresses on ISE are able to authenticate against LDAP server with Windows username and password ?

Thanks for the rest of the videos you have posted they have been very helpful so far.
Title: Re: Radius based MAC address Authentication with WLAN Controller and ISE
Post by: bhatsy on April 29, 2014, 03:44:26 PM
Ok I got this working. We can close out this thread  :)
SimplePortal 2.3.7 © 2008-2024, SimplePortal