MAC-Based Access Control Using Cisco ISE - MR Access Points

Security Considerations

MAC-Based Access Control has some security implications which must be considered before using this method as a primary method to secure a wireless network.

• It is not an association method that supports wireless encryption. Communication between wireless clients and the MR is not encrypted and can be intercepted and viewed as clear text by “man-in-the-middle” devices using easily accessible wireless capture tools. Therefore clients will need to rely on upper layer protocols for encrypting traffic, such as SSL or IPsec, once a device has gained network access.
• Because the MAC address of the device is used as the authentication credentials, an attacker can easily gain network access by spoofing the MAC address of previously authenticated clients.

Adding Managed Network Devices

MR access points acting as authenticators (devices through which AAA requests are sent to Cisco ISE,) need to be added to ISE before access-requests will be answered by the ISE server. By default the server will not answer any requests. To add a new device:

1. In Cisco ISE, choose Administration > Network Resources > Network Devices.

2. From the Network Devices navigation pane on the left, click Network Devices.

3. Click Add, from the action icon on the Network Devices navigation pane or click an already added device name from the list to edit it.
4. In the right pane, enter the Name and IP Address. As for the Mask, you can add devices inside a network individually or using a larger CIDR notation, such as /24, to avoid manually importing multiple endpoint IPs.
5. Check the Authentication Settings check box and define a Shared Secret for RADIUS authentication. This must match the Secret entered for the RADIUS server when configuring the SSID in Dashboard.

6. Click Submit.

Once a device is added, it will show up on the device list in ISE.

Creating a Policy Set

1. Click on Policy > Policy Sets

2. Click the plus (+) sign or click on the settings icon and Create above to create  a new policy set.

3. Enter the Name, Description and a Condition for this group policy.

4. Click on Condition, a new menu will show. Match the necessary condition. Per SSID policy sets are recommended, therefore, the attribute “Radius·Called-Station-ID” ENDS WITH “<SSID name>”  is the preferred option. Click "Use" after configuring this step.

5. Define allowed protocols, by default Default Network Access can be used.

6. Click on Save.

Create Authentication Policy

1. Open the policy by clicking on the right arrow under the "View" column.

2. By default, the Authentication Policy allows “All User ID Stores”, which is where ISE looks for users. Since in this case, the User (device MAC address), will be used only on the Authorization rule, select the “Default” rule, click on “Options”, and change “If user not found” to CONTINUE.

Create Authorization Policy

Authorization Policies will define the rules to use the MAC address of the client for authorization. In this example it is looking at an internal group of MAC addresses/Users created in ISE. To create a new rule to grant access for these users, the following must be done:

1. Select Authorization Policy

2. Click on the plus (+) sign or on the settings icon to create a new rule.

3. Click on Condition and a new window will pop up. In this window the client access method can be selected. 

   • Select Click to add attribute.

   • Different conditions can be used depending on where the Users/MAC addresses are stored. For this example, an internal Endpoint Identity Group will be selected. 

   • Select “IdentityGroup:Name” IN <Group where MACs are>

4. Select Use.

5. Select Results, then select Permit Access, or a result that allows access for the device.

6. Click Save.