Extreme Networks

Paul_Kyte · ‎01-02-2024

I have an SSID that uses PEAP and MSCHAPv2 authentication with a CWP. The RADIUS Server is external and my WAPs are Extreme AP4000s. I'm using the Cloud IQ to configure and manage the WiFi and APs. This all works fine.

What I'm wanting to do now is to configure MAC authentication to be tried first with CWP bypass if successful. It the MAC auth fails I'm wanting the PEAP/MSCHAPv2 to be done with CWP.

I've not been able to get this setup. Can someone tell me if this is possible and if so how is it configured?

Thanks,

Paul

Paul_Kyte · ‎03-07-2024

Hi James,

Thanks for the prompt reply and the suggestion to do the MAC lookup on the ISE Server. Unfortunately this isn't possible as the authentication either needs to be MAC or 802.1x. The MAC address is contained in the 802.1x authentication but I don't have anyway to configure a test for known MAC and then a test for valid user credentials. The MAC is only known after a valid user authentication so if I do MAC auth first it will fail and then it will never get to the user authentication.

The reality is I'm just wanting to do a MAC Bypass on the Wireless much the same as you can on the wired network. I don't want to do MAC and 802.1x authentication that the Extreme WAP is doing. Is there anyway to configure it so that it does a MAC Auth and on failure of this do an 802.1x Auth?

Thanks,

Paul

Paul_Kyte · ‎02-13-2024

Hi JAmes,

Thanks for your reply. I have tried the configuration you have suggested but it doesn't quite fully work. I'm going to try another modification to the setup to see if it will work as I want it to. Unfortunately I'm very busy and won't be able to do this for another few weeks. I will get around to doing this and I will come back and state whether it worked as I wanted it to or not. Thanks.

Paul_Kyte · ‎03-08-2024

Hi James, the RADIUS Server does do CoA but this is something that I'm not too clued up on. What I use is a Lab WAP and I make sure that this is cleared down of all associations and cache before I next try a test. So each test is done with a blank WAP. The only thing that I may change is whether the client MAC Address is in the RADIUS Servers database of endpoints or not.

I have seen another community query on MAC Bypass and fallback to CWP. This stated the WAP should have a change made via the command line. I don't know if I need to do something similar or if this applicable to older model WAPS. The article is: Solved: External CWP with mac-auth and CWP bypass. Users ... - Extreme Networks - 71431

Paul_Kyte · ‎03-06-2024

This is not the correct answer in my case. I don't know who marked it as correct but it wasn't me. It still isn't working as I want it to.

When I have the MAC Auth and SSID Auth configured I can see on the external RADIUS Server (Cisco ISE) that when a client connects it performs both the MAC Auth and then the SSID Auth. If one of these is unsuccessful the client isn't allowed to connect. So both Auths must pass. If there is a failure the client retries after about 10 seconds.

Upon successful authentication of both MAC and SSID the profile is applied according to the returned radius attribute. However as a value is returned for the succesful MAC Auth and then a different value is returned for the SSID Auth, the latter winds and this causes the CWP and AUP to be done.

I want the CWP and AUP not to be done if the MAC Auth is successful. How do I achieve this?

Extreme Networks

SSID with PEAP & MSCHAPv2 authentication and CWP, and bypass CWP if MAC known

SSID with PEAP & MSCHAPv2 authentication and CWP, and bypass CWP if MAC known