802.1x authentication - MAC address Plus user entered credentials

I'm working on a project where we will be using Meraki equipment. We want there to be a single SSID throughout the entire project. When a user with their device connects to the common SSID and WPA PSK, they will be prompted for their username and password. This authentication will place them on their assigned VLAN within the network which will allow them to communicate only with their equipment but still be able to roam where ever. This prevents the need to have 100 + SSIDs, one for each account. The only issue I am seeing is with some wireless devices that do not support 802.1x authentication. They only support standard WPA2. How can I configure a server to look at the MAC address of the device if it is incapable of the username/password entry and allow it on a specific VLAN but sill keep the functionality of having users enter in the username/password from their mobile devices?

I will have some kind of LDAP or Active Directory server in place to maintain the user accounts and to function as a radius server.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
You probably want to look at NAC solutions like ForeScout. Also why in the world would you need 100's of SSID's? Typicaly companies have two, one for guest's and one for employees. The Guest SSID only allows internet access, the employee SSID allows those users with a user/pass into the network. You can then use the MAC address and or 802.1x to place the users into Vlans, or apply rules/filters to their Mac/IP. I've not run into many devices that are wireless and don't support 802.1x, except for dumb devices like printers. Phones, PDA's, Tablet's, even gaming systems typically support 802.1x. In the cases where it's not supported, you make exceptions based on the Mac address.
farroarAuthor Commented:
Thanks for the input Rich. The design is for a large residential MDU. Many users who require individual subnets each but with a common infrastructure. These are "smart homes" that have many of their internal devices controlled via mobile apps. If each unit had their own SSID, it would be far too complicated to implement and manage considering they specifics of the requirements for each unit. There are wireless thermostats in each unit that will be controlled by the user and need to be on their subnet only. These do not accept 802.1x authentication. I would need these dumb devices to be authenticated based on their MAC address and all other devices if they are capable to use user/pass credentials. The whole system will allow them to roam around the entire campus and access the WLAN on their subnet as well as monitor and control their own equipment.

If you are saying I can do both MAC and 802.1x then that is what I'm looking for. I was concerned that it was one or the other and not both. I have been looking into the Cisco ISE server to manage the policies but I'll have to look into ForeScout as well. The system is mainly Meraki and is cloud SDN basically. They have their own features for access control but not as granular as we would like.

If I were to authenticate off of a NAC like ForeScout or ISE, I would want to be able to:

1.Identify the user based on user/pass credentials or MAC address
2.Compare the user / MAC against a policy that specifies attributes including
     -Assigned VLAN
     -Bandwidth Limitations
     -Content control

Is this something that ForeScount can do?
Rich RumbleSecurity SamuraiCommented:
Yes. Get a demo from them, there are others, but after investigating NAC for the past 5 years, they are the only one I'd even consider. As a security professional, I am glad to see these steps being taken for this newer home trend, but it's not enough :( Mac's can be spoffed, and these devices that talk WPA(2) and blue-tooth(so the phone apps can control them) and other protocols are not (yet)very secure

I think you'll have good results working with ForeScout, the others that might be worth looking into are:

**edited to add this, just now:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
farroarAuthor Commented:
Thanks for that. I agree and as a security "guy" in networking, I am concerned with this as well. A lot of planning needs to be done in order to maintain security with all of these IoT devices. It would be great if we could use some of the other technologies but in this case it isn't possible. Each unit will have a control processor and this processor serves up the UI for the mobile devices as well as sends the commands to all of the controlled devices in the home. That would include lighting, AV, HVAC, Shades, security, etc... It is a great solution for home control and is on the higher end of the products available on the market. It requires that all devices be connected via wired or wireless Ethernet. This deployment is unique and hopefully it will be a kind of benchmark for the way a large MDU can be brought into the smart home arena.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.