802.1x authentication - MAC address Plus user entered credentials
I'm working on a project where we will be using Meraki equipment. We want there to be a single SSID throughout the entire project. When a user with their device connects to the common SSID and WPA PSK, they will be prompted for their username and password. This authentication will place them on their assigned VLAN within the network which will allow them to communicate only with their equipment but still be able to roam where ever. This prevents the need to have 100 + SSIDs, one for each account. The only issue I am seeing is with some wireless devices that do not support 802.1x authentication. They only support standard WPA2. How can I configure a server to look at the MAC address of the device if it is incapable of the username/password entry and allow it on a specific VLAN but sill keep the functionality of having users enter in the username/password from their mobile devices?
I will have some kind of LDAP or Active Directory server in place to maintain the user accounts and to function as a radius server.
Thanks!
I will have some kind of LDAP or Active Directory server in place to maintain the user accounts and to function as a radius server.
Thanks!
ASKER
Thanks for the input Rich. The design is for a large residential MDU. Many users who require individual subnets each but with a common infrastructure. These are "smart homes" that have many of their internal devices controlled via mobile apps. If each unit had their own SSID, it would be far too complicated to implement and manage considering they specifics of the requirements for each unit. There are wireless thermostats in each unit that will be controlled by the user and need to be on their subnet only. These do not accept 802.1x authentication. I would need these dumb devices to be authenticated based on their MAC address and all other devices if they are capable to use user/pass credentials. The whole system will allow them to roam around the entire campus and access the WLAN on their subnet as well as monitor and control their own equipment.
If you are saying I can do both MAC and 802.1x then that is what I'm looking for. I was concerned that it was one or the other and not both. I have been looking into the Cisco ISE server to manage the policies but I'll have to look into ForeScout as well. The system is mainly Meraki and is cloud SDN basically. They have their own features for access control but not as granular as we would like.
If I were to authenticate off of a NAC like ForeScout or ISE, I would want to be able to:
1.Identify the user based on user/pass credentials or MAC address
2.Compare the user / MAC against a policy that specifies attributes including
-Assigned VLAN
-Bandwidth Limitations
-Content control
Is this something that ForeScount can do?
If you are saying I can do both MAC and 802.1x then that is what I'm looking for. I was concerned that it was one or the other and not both. I have been looking into the Cisco ISE server to manage the policies but I'll have to look into ForeScout as well. The system is mainly Meraki and is cloud SDN basically. They have their own features for access control but not as granular as we would like.
If I were to authenticate off of a NAC like ForeScout or ISE, I would want to be able to:
1.Identify the user based on user/pass credentials or MAC address
2.Compare the user / MAC against a policy that specifies attributes including
-Assigned VLAN
-Bandwidth Limitations
-Content control
Is this something that ForeScount can do?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for that. I agree and as a security "guy" in networking, I am concerned with this as well. A lot of planning needs to be done in order to maintain security with all of these IoT devices. It would be great if we could use some of the other technologies but in this case it isn't possible. Each unit will have a control processor and this processor serves up the UI for the mobile devices as well as sends the commands to all of the controlled devices in the home. That would include lighting, AV, HVAC, Shades, security, etc... It is a great solution for home control and is on the higher end of the products available on the market. It requires that all devices be connected via wired or wireless Ethernet. This deployment is unique and hopefully it will be a kind of benchmark for the way a large MDU can be brought into the smart home arena.
Thanks!
Thanks!
-rich