This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Scripting 802.11x WM3600

Scripting 802.11x WM3600

Tom_Taylor
New Contributor II

‎08-21-2015 12:56 PM

I'm trying to implement 802.11x on our WM3600 controller. Since I have a list of know mac addresses from my hardware inventory software I was wondering what the easiest way is of scripting it daily so any additional workstations get automatically added to a firewall list on the WM3600? Is there a better way of doing this ?
0 Kudos
4 REPLIES 4

Chad_Smith1
Extreme Employee

‎08-21-2015 01:40 PM

Tom,

What are you using for your RADIUS server? What type of authentication are you using on the WLAN?

802.1X will block the clients from sending traffic on the network until they are properly authenticated. So, you shouldn't need to modify the firewall to allow/deny them. If you are trying to restrict access after authentication, it may be easier to do that based on some other trigger other than MAC address. The best method would probably depend on the specifics of what types of devices you are trying to restrict and what you are trying to restrict them from doing.
0 Kudos

Tom_Taylor
New Contributor II
In response to Chad_Smith1

‎08-21-2015 01:40 PM

Ok, good to know. I think for now I'll probably investigate Free Radius and figure out how to script that so it's done on an auth level.

Thanks for getting back to me! Absolutely love the new forums for this reason alone!
0 Kudos

Chad_Smith1
Extreme Employee
In response to Chad_Smith1

‎08-21-2015 01:40 PM

Tom,

I assume based on your response that authenticating based on a corporate user/password is not sufficient. The hardware itself must also be restricted.

It may require a lot of work up front, but getting all the company owned assets stored into the RADIUS server or Active Directory is probably the best course of action. You would then deny all access to that SSID if the device wasn't in the database.

I believe maintaining a MAC based firewall policy on the WM controller could get a bit unwieldy. To your question on scripting, the WM doesn't natively have any scripting capability. You would need to create a script on a remote device that would telnet/SSH into the WM and modify the firewall.
0 Kudos

Tom_Taylor
New Contributor II
In response to Chad_Smith1

‎08-21-2015 01:40 PM

I'm using a windows RADIUS server which has god awful implementation of Mac address filtering, especially for non-windows clients.

So basically what you're saying to to try block em at the auth level before the firewall ? If so, I probably need to have a look at open Radius.

As for the types of devices, I'm trying to allow our company owned devices to authenticate to a specific SSID and block all non-company devices.
0 Kudos
GTM-P2G8KFN