MAC-Based Access Control Using Cisco ISE - MR Access Points
Overview
MAC-Based Access Control is one method for preventing unauthorized access to the Wireless LAN. This article discusses how MAC-Based Access Control works and provides step-by-step configuration instructions for Cisco Identity Services Engine (ISE) and the Meraki dashboard.
MAC-Based Access Control
It is critical to control which devices can access the Wireless LAN. MAC-Based Access Control can be used to provide network access control on MR series access points. With MAC-Based Access Control, devices must be authenticated by a RADIUS server before network access is granted on an SSID.
The Access Point (Authenticator) sends a RADIUS Access-Request to the RADIUS server containing the username and password of the connecting wireless device based on the association process. With MAC-based Access Control, the username and password combination is always the MAC address of the connecting device, lower case, without delimiting characters.
If a RADIUS policy exists on the server that specifies the device should be granted access and the credentials are correct, the RADIUS server will respond with an Access-Accept message. Upon receiving this message, the access point will grant network access to the device on the SSID.
If the RADIUS server replies with an Access-Reject, the device does not match an existing policy or the RADIUS server has a rule denying the client and the access point will not grant network access to the device.
Below is a diagram showing a successful authentication exchange:
Security Considerations
MAC-Based Access Control has some security implications which must be considered before using this method as a primary method to secure a wireless network.
- It is not an association method that supports wireless encryption. Communication between wireless clients and the MR is not encrypted and can be intercepted and viewed as clear text by “man-in-the-middle” devices using easily accessible wireless capture tools. Therefore clients will need to rely on upper layer protocols for encrypting traffic, such as SSL or IPsec, once a device has gained network access.
- Because the MAC address of the device is used as the authentication credentials, an attacker can easily gain network access by spoofing the MAC address of previously authenticated clients.
Deploying MAC-Based Access Control in Cisco ISE
Below are the steps necessary in order to deploy MAC-based Access Control in Cisco ISE.
Adding Managed Network Devices
MR access points acting as authenticators (devices through which AAA requests are sent to Cisco ISE,) need to be added to ISE before access-requests will be answered by the ISE server. By default the server will not answer any requests. To add a new device:
-
In Cisco ISE, choose Administration > Network Resources > Network Devices.
-
From the Network Devices navigation pane on the left, click Network Devices.
- Click Add, from the action icon on the Network Devices navigation pane or click an already added device name from the list to edit it.
- In the right pane, enter the Name and IP Address. As for the Mask, you can add devices inside a network individually or using a larger CIDR notation, such as /24, to avoid manually importing multiple endpoint IPs.
- Check the Authentication Settings check box and define a Shared Secret for RADIUS authentication. This must match the Secret entered for the RADIUS server when configuring the SSID in Dashboard.
- Click Submit.
Once a device is added, it will show up on the device list in ISE.
Creating a Policy Set
-
Click on Policy > Policy Sets
-
Click the plus (+) sign or click on the settings icon and Create above to create a new policy set.
-
Enter the Name, Description and a Condition for this group policy.
-
Click on Condition, a new menu will show. Match the necessary condition. Per SSID policy sets are recommended, therefore, the attribute “Radius·Called-Station-ID” ENDS WITH “<SSID name>” is the preferred option. Click "Use" after configuring this step.
-
Define allowed protocols, by default Default Network Access can be used.
-
Click on Save.
Create Authentication Policy
-
Open the policy by clicking on the right arrow under the "View" column.
-
By default, the Authentication Policy allows “All User ID Stores”, which is where ISE looks for users. Since in this case, the User (device MAC address), will be used only on the Authorization rule, select the “Default” rule, click on “Options”, and change “If user not found” to CONTINUE.
Create Authorization Policy
Authorization Policies will define the rules to use the MAC address of the client for authorization. In this example it is looking at an internal group of MAC addresses/Users created in ISE. To create a new rule to grant access for these users, the following must be done:
-
Select Authorization Policy
-
Click on the plus (+) sign or on the settings icon to create a new rule.
-
Click on Condition and a new window will pop up. In this window the client access method can be selected.
-
Select Click to add attribute.
-
Different conditions can be used depending on where the Users/MAC addresses are stored. For this example, an internal Endpoint Identity Group will be selected.
-
Select “IdentityGroup:Name” IN <Group where MACs are>
-
-
Select Use.
-
Select Results, then select Permit Access, or a result that allows access for the device.
- Click Save.
Dashboard SSID configuration
Once a RADIUS server has been set up with the appropriate requirements to support authentication, the following instructions explain how to configure an SSID to support MAC-based access control, and authenticate against the RADIUS server:
-
In Dashboard, navigate to Wireless > Configure > Access control
-
Select your desired SSID from the SSID drop down (or navigate to Wireless > Configure > SSIDs to create a new SSID first)
-
For Security choose MAC-based access control (no encryption)
-
Under RADIUS servers click Add server
-
Enter the Host IP (IP address of your RADIUS server, reachable from the access points), Auth port (UDP port the RADIUS server listens on for Access-requests; 1812 by default) and Secret (RADIUS client shared secret)
-
Then click Save
Under Splash page, select Cisco Identity Services Engine (ISE) Authentication if your setup uses the AVP Service Type - Call Check, otherwise the access points won't include it in their access-request packets.