TL;DR: I have received the order to investigate how to get roughly 300 IoT devices connected to our network but they have a rather limited WiFi support and I'm trying wrap my head around possibilities on how to get them integrated. The vendor often mentioned MAC address whitelisting...
Most of their current customers seem to give them a separate WPA-PSK SSID, I'm not that keen on adding PSK to the mix and no SSID currently has PSK enabled. Also can't simply add another SSID since I'm already at the limit of 4 announced SSIDs our APs can support. The IoT vendor doesn't have any existing customers with WPA-EAP, they would be interested in EAP support but are lacking experience in that area.
I'm trying to understand if we could even remotely think about adding support for these devices onto our main WPA2-EAP SSID for plain MAC authentication bypass. It does sound counterintuitive to me though. I've never encountered this combination and so far, it looks weird to do both (either devices get whitelisted based on their MAC or they do PEAP-MSCHAPv2 / EAP-TLS, so I'm uncertain if that is even a remote possibility. Technically FreeRADIUS on its end can do both at the same time, that's not that uncommon on wired networks - but on wireless?
Though their micro controllers used (an Arduino core) should have had support for EAP-TLS for some years already based on some research... but they failed to import our client certificates we've given them so far and I'm trying to look for alternatives.
No comments:
Post a Comment