802.1x authentication - MAC address Plus user entered credentials

Posted on 2014-08-20
Last Modified: 2014-08-21
I'm working on a project where we will be using Meraki equipment. We want there to be a single SSID throughout the entire project. When a user with their device connects to the common SSID and WPA PSK, they will be prompted for their username and password. This authentication will place them on their assigned VLAN within the network which will allow them to communicate only with their equipment but still be able to roam where ever. This prevents the need to have 100 + SSIDs, one for each account. The only issue I am seeing is with some wireless devices that do not support 802.1x authentication. They only support standard WPA2. How can I configure a server to look at the MAC address of the device if it is incapable of the username/password entry and allow it on a specific VLAN but sill keep the functionality of having users enter in the username/password from their mobile devices?

I will have some kind of LDAP or Active Directory server in place to maintain the user accounts and to function as a radius server.

Question by:farroar
    LVL 38

    Expert Comment

    by:Rich Rumble
    You probably want to look at NAC solutions like ForeScout. Also why in the world would you need 100's of SSID's? Typicaly companies have two, one for guest's and one for employees. The Guest SSID only allows internet access, the employee SSID allows those users with a user/pass into the network. You can then use the MAC address and or 802.1x to place the users into Vlans, or apply rules/filters to their Mac/IP. I've not run into many devices that are wireless and don't support 802.1x, except for dumb devices like printers. Phones, PDA's, Tablet's, even gaming systems typically support 802.1x. In the cases where it's not supported, you make exceptions based on the Mac address.

    Author Comment

    Thanks for the input Rich. The design is for a large residential MDU. Many users who require individual subnets each but with a common infrastructure. These are "smart homes" that have many of their internal devices controlled via mobile apps. If each unit had their own SSID, it would be far too complicated to implement and manage considering they specifics of the requirements for each unit. There are wireless thermostats in each unit that will be controlled by the user and need to be on their subnet only. These do not accept 802.1x authentication. I would need these dumb devices to be authenticated based on their MAC address and all other devices if they are capable to use user/pass credentials. The whole system will allow them to roam around the entire campus and access the WLAN on their subnet as well as monitor and control their own equipment.

    If you are saying I can do both MAC and 802.1x then that is what I'm looking for. I was concerned that it was one or the other and not both. I have been looking into the Cisco ISE server to manage the policies but I'll have to look into ForeScout as well. The system is mainly Meraki and is cloud SDN basically. They have their own features for access control but not as granular as we would like.

    If I were to authenticate off of a NAC like ForeScout or ISE, I would want to be able to:

    1.Identify the user based on user/pass credentials or MAC address
    2.Compare the user / MAC against a policy that specifies attributes including
         -Assigned VLAN
         -Bandwidth Limitations
         -Content control

    Is this something that ForeScount can do?
    LVL 38

    Accepted Solution

    Yes. Get a demo from them, there are others, but after investigating NAC for the past 5 years, they are the only one I'd even consider. As a security professional, I am glad to see these steps being taken for this newer home trend, but it's not enough :( Mac's can be spoffed, and these devices that talk WPA(2) and blue-tooth(so the phone apps can control them) and other protocols are not (yet)very secure

    I think you'll have good results working with ForeScout, the others that might be worth looking into are:

    **edited to add this, just now:

    Author Comment

    Thanks for that. I agree and as a security "guy" in networking, I am concerned with this as well. A lot of planning needs to be done in order to maintain security with all of these IoT devices. It would be great if we could use some of the other technologies but in this case it isn't possible. Each unit will have a control processor and this processor serves up the UI for the mobile devices as well as sends the commands to all of the controlled devices in the home. That would include lighting, AV, HVAC, Shades, security, etc... It is a great solution for home control and is on the higher end of the products available on the market. It requires that all devices be connected via wired or wireless Ethernet. This deployment is unique and hopefully it will be a kind of benchmark for the way a large MDU can be brought into the smart home arena.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
    It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now