Scripting 802.11x WM3600

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
I'm trying to implement 802.11x on our WM3600 controller. Since I have a list of know mac addresses from my hardware inventory software I was wondering what the easiest way is of scripting it daily so any additional workstations get automatically added to a firewall list on the WM3600? Is there a better way of doing this ?
Photo of Tom Taylor

Tom Taylor

  • 804 Points 500 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Chad Smith

Chad Smith, Alum

  • 5,640 Points 5k badge 2x thumb
Tom,

What are you using for your RADIUS server?  What type of authentication are you using on the WLAN?  

802.1X will block the clients from sending traffic on the network until they are properly authenticated.  So, you shouldn't need to modify the firewall to allow/deny them.  If you are trying to restrict access after authentication, it may be easier to do that based on some other trigger other than MAC address.  The best method would probably depend on the specifics of what types of devices you are trying to restrict and what you are trying to restrict them from doing.
(Edited)
Photo of Tom Taylor

Tom Taylor

  • 804 Points 500 badge 2x thumb
I'm using a windows RADIUS server which has god awful implementation of Mac address filtering, especially for non-windows clients. 

So basically what you're saying to to try block em at the auth level before the firewall ? If so, I probably need to have a look at open Radius. 

As for the types of devices,  I'm trying to allow our company owned devices to authenticate to a specific SSID and block all non-company devices. 
Photo of Chad Smith

Chad Smith, Alum

  • 5,640 Points 5k badge 2x thumb
Tom,

I assume based on your response that authenticating based on a corporate user/password is not sufficient. The hardware itself must also be restricted.

It may require a lot of work up front, but getting all the company owned assets stored into the RADIUS server or Active Directory is probably the best course of action.  You would then deny all access to that SSID if the device wasn't in the database.  

I believe maintaining a MAC based firewall policy on the WM controller could get a bit unwieldy.  To your question on scripting, the WM doesn't natively have any scripting capability.  You would need to create a script on a remote device that would telnet/SSH into the WM and modify the firewall.
Photo of Tom Taylor

Tom Taylor

  • 804 Points 500 badge 2x thumb
Ok, good to know. I think for now I'll probably investigate Free Radius and figure out how to script that so it's done on an auth level. 

Thanks for getting back to me! Absolutely love the new forums for this reason alone!