cancel
Showing results for 
Search instead for 
Did you mean: 

SSID with PEAP & MSCHAPv2 authentication and CWP, and bypass CWP if MAC known

SSID with PEAP & MSCHAPv2 authentication and CWP, and bypass CWP if MAC known

Paul_Kyte
New Contributor II

I have an SSID that uses PEAP and MSCHAPv2 authentication with a CWP. The RADIUS Server is external and my WAPs are Extreme AP4000s. I'm using the Cloud IQ to configure and manage the WiFi and APs. This all works fine.

What I'm wanting to do now is to configure MAC authentication to be tried first with CWP bypass if successful. It the MAC auth fails I'm wanting the PEAP/MSCHAPv2 to be done with CWP.

I've not been able to get this setup. Can someone tell me if this is possible and if so how is it configured?

Thanks,

Paul

1 ACCEPTED SOLUTION

James_A
Valued Contributor

What you need to do is send a RADIUS attribute for known MAC addresses, and then match it in the user access settings at the bottom of the wireless network config. One thing to note is that even if it's going to be the same VLAN, you need two distinct user profiles, one for CWP and one without:

 

James_A_0-1705297590993.png

See also https://community.extremenetworks.com/t5/extremecloud-iq/show-user-role/m-p/89229/highlight/true#M24...

View solution in original post

9 REPLIES 9

Paul_Kyte
New Contributor II

Hi James,

Thanks for the prompt reply and the suggestion to do the MAC lookup on the ISE Server. Unfortunately this isn't possible as the authentication either needs to be MAC or 802.1x. The MAC address is contained in the 802.1x authentication but I don't have anyway to configure a test for known MAC and then a test for valid user credentials. The MAC is only known after a valid user authentication so if I do MAC auth first it will fail and then it will never get to the user authentication.

The reality is I'm just wanting to do a MAC Bypass on the Wireless much the same as you can on the wired network. I don't want to do MAC and 802.1x authentication that the Extreme WAP is doing. Is there anyway to configure it so that it does a MAC Auth and on failure of this do an 802.1x Auth?

Thanks,

Paul

James_A
Valued Contributor

Not really, 802.1X is done on association to the SSID, so it has to be done first or together. If you want MAC auth alone why not just have a PSK or PPSK SSID as well for those devices that should do MAC auth? I'm not too familiar with ISE but what another options could be a captive portal with AD login?

Paul_Kyte
New Contributor II

Hi JAmes,

 

Thanks for your reply. I have tried the configuration you have suggested but it doesn't quite fully work. I'm going to try another modification to the setup to see if it will work as I want it to. Unfortunately I'm very busy and won't be able to do this for another few weeks. I will get around to doing this and I will come back and state whether it worked as I wanted it to or not. Thanks.

James_A
Valued Contributor

Does the RADIUS server do CoA? If it doesn't then the APs won't know that captive portal authenticaiton has been successful until the auth cache times out (which can take a while, I have to do it manually if it didn't work How To: How to disassociate a client device from an AP in ExtremeCloud IQ (XIQ) | Extreme Portal  )

GTM-P2G8KFN