topic Re: 802.1x Mac-Adress Based Authentication in Network Access Control

802.1x Mac-Adress Based Authentication

mhernandez11 — Sun, 10 Mar 2019 21:09:54 GMT

I am wondering if we are going to see or now have the ability to authenticate hosts on the lan with something other than a Username / Password? I am mostly concerned with ports on my network that the end device is a non 802.1x compliant device. Anyone have any insight as to what others are doing? Currently i am running ACS 3.3.2 and I am very succesful in deploying 802.1x to ports on my LAN, however we run a mix of unix based devices which are vendor supported and printers are another source of concern.

??? 🙂

Re: 802.1x Mac-Adress Based Authentication

rmihalcin — Tue, 24 May 2005 23:51:39 GMT

mhernandez11

You could use VMPS which is mac-address authentication for those fixed devices. You would have to track the ports down and change the port type to "switchport access vlan dynamic". The other thing that comes to mind is switchport port security for the printers.

Bob

Re: 802.1x Mac-Adress Based Authentication

mhernandez11 — Wed, 25 May 2005 00:52:58 GMT

VMPS is not available on ciscoIOS on switches. All of our switches are running in nativemode (ciscoios) so we lost all VMPS capabilities, only 802.1x remains.

Re: 802.1x Mac-Adress Based Authentication

rmihalcin — Thu, 26 May 2005 01:13:40 GMT

mhernandez11

The vmps "server" has to be catalyst OS, not the client switches. The "switchport" command is native IOS.I don't know how may devices you have, but you just need to run catalyst code on 1 or 2 switches as the servers.

And how about switchport security?

Bob

Re: 802.1x Mac-Adress Based Authentication

mhernandez11 — Thu, 26 May 2005 11:15:13 GMT

We have absolutely no devices running catOS, thats the reason i am wondering about 802.1x because we are succesfully deploying that amongst all of end point devices. I have read that in wireless there is MAC address based authentication through leap.

Re: 802.1x Mac-Adress Based Authentication

Josef Oduwo — Thu, 26 May 2005 11:20:52 GMT

Bob, mhernandez11,

Depends too, on how big your VMPS config database is...

It can get unmanageable and in my (little) experience requires constant watching.

Josef.

Re: 802.1x Mac-Adress Based Authentication

mhernandez11 — Thu, 26 May 2005 11:51:35 GMT

It is a management nightmare. Additionally i am concerned about the mac address based authentication in 802.1x because of the same issues however it will be a smaller group of devices such as printers and other non compliant equipment.

Re: 802.1x Mac-Adress Based Authentication

ericds — Fri, 27 May 2005 00:17:36 GMT

We had pretty good luck using a Cold Fusion front end that forces users to authenticate with their AD credentials. It pulls the MAC address and host name and user/machine details and puts them in an ODBC database.

We modified the sample stub routine to have the CSDB stub routine add the MAC to the local database in the PAP field.

Kind of a nice compromise of identity and machine based authentication without the complexities of PEAP/EAP-FAST etc.

Re: 802.1x Mac-Adress Based Authentication

jasper.grennigan — Fri, 27 May 2005 14:12:10 GMT

Eric,

Sounds like you have a pretty nifty operation going there.

Was it written inhouse? How much effort do you put in maintaining the database?

JG.