https://community.cisco.com/t5/network-access-control/802-1x-certificate-authentication-mac-authorization/m-p/3057278#M24063 <P>I think i have got it figured out. I will try and use end device filters to filter by mac address after certificate authentication. I can apply the end device filters in the authorization policy and that should do it.</P> Sun, 12 Feb 2017 01:20:01 GMT darknair 2017-02-12T01:20:01Z https://community.cisco.com/t5/network-access-control/802-1x-certificate-authentication-mac-authorization/m-p/3057276#M24061 <P>I have ACS 5.8 and I am trying to use x509 authentication but use the devices mac addresses to identify which authorization policy the devices would match. I am not having any issues getting them to authenticate with the certificates but I can not figure out how to reasonably get them to uniquely match an authorization policy.</P> <P>There are approx 3K devices and they are all separated throughout the network and require different vlan assignments. I would like to use their MAC addresses to uniquely identify each device for its authorization policy but I am uncertain how to do that with X509 authentication. I want all of my authentication and authorization to be handled by ACS with no external identity stores. If I could use the internal host identity store for authorization policy selection and x509 certificates for authentication then that would be ideal.</P> <P>Is there a way to have an internal database of MACs or other uniquely identified information I could reference in the authorization policy? I have used MAB which references an identity group that is used in the authorization policy for uniquely assigning each device that connects.</P> <P></P> <P>Perfect scenario: A device starts 802.1x authentication and presents its certificate to ACS then ACS uses the devices MAC address to match it to an authorization policy to be assigned a authorization profile.</P> <P></P> <P>Thanks for any help!</P> Tue, 26 Mar 2019 00:35:39 GMT https://community.cisco.com/t5/network-access-control/802-1x-certificate-authentication-mac-authorization/m-p/3057276#M24061 darknair 2019-03-26T00:35:39Z https://community.cisco.com/t5/network-access-control/802-1x-certificate-authentication-mac-authorization/m-p/3057277#M24062 <P>Hi</P> <P>I'm sorry but not understood what you want to achieve.</P> <P>You have 3k devices and would like to apply 1 rule out mac address?</P> <P>Anyhow, ACS have internal identity store for hosts and users.&nbsp;</P> <P>You're authenticating your devices through certificates. Who is your CA? Your AD? If yes, why not using group membership of hosts to apply specific authorization rules?&nbsp;</P> <P>What type of certificates are you using? User or machine?</P> <P></P> <P>Thanks</P> <P>PS: Please don't forget to rate and mark as correct answer if this answered your question</P> Sat, 11 Feb 2017 21:51:09 GMT https://community.cisco.com/t5/network-access-control/802-1x-certificate-authentication-mac-authorization/m-p/3057277#M24062 Francesco Molino 2017-02-11T21:51:09Z https://community.cisco.com/t5/network-access-control/802-1x-certificate-authentication-mac-authorization/m-p/3057278#M24063 <P>I think i have got it figured out. I will try and use end device filters to filter by mac address after certificate authentication. I can apply the end device filters in the authorization policy and that should do it.</P> Sun, 12 Feb 2017 01:20:01 GMT https://community.cisco.com/t5/network-access-control/802-1x-certificate-authentication-mac-authorization/m-p/3057278#M24063 darknair 2017-02-12T01:20:01Z https://community.cisco.com/t5/network-access-control/802-1x-certificate-authentication-mac-authorization/m-p/3057279#M24064 <P>Ok. Let me know if you need further help.&nbsp;</P> <P>Thanks</P> <P></P> <P><SPAN>PS: Please don't forget to rate and mark as correct answer if this answered your question</SPAN></P> Sun, 12 Feb 2017 02:38:49 GMT https://community.cisco.com/t5/network-access-control/802-1x-certificate-authentication-mac-authorization/m-p/3057279#M24064 Francesco Molino 2017-02-12T02:38:49Z