topic I haven't done it with ACS in Network Access Control

Dual Authentication with MAC and radius server

jayapraki — Mon, 11 Mar 2019 05:03:54 GMT

HI,

Can any one clarify whether we can do the MAC address authentication and the Radius server authentication in the Wireless network. In my network i have WLC, ACS and AD server.

Thanks & Regards,

Jayaprakash.K.V

What do you mean by "Radius

nspasov — Fri, 26 Sep 2014 07:00:09 GMT

What do you mean by "Radius Server Authentication" ?

I mean the AD authentication.

jayapraki — Fri, 26 Sep 2014 07:05:35 GMT

I mean the AD authentication.

Ah ok :) So yes, you should

nspasov — Sun, 28 Sep 2014 09:07:50 GMT

Ah ok 🙂 So yes, you should be able to perform your user or machine based authentication against AD and also check the MAC address against the database of your Radius server. I have personally done this with both ISE and ACS. In the WLC you will set your regular 802.1x settings and also check "mac filtering." Then you have to make sure that your Radius servers are configured on the WLC and set to be used by that SSD, otherwise the mac filtering mechanism will use the WCL's local database.

Hope this helps!

Thank you for rating helpful posts!

Thank you Neno Spasov. Will

jayapraki — Mon, 29 Sep 2014 04:58:10 GMT

Thank you Neno Spasov.

Will this work without ISE. Can you please share any relevent document.

Thanks in advance.

What do you plan to use for

nspasov — Mon, 29 Sep 2014 06:25:22 GMT

What do you plan to use for Radius server?

I am using ACS 4.3 and

jayapraki — Mon, 29 Sep 2014 06:28:11 GMT

I am using ACS 4.3 and planning to upgrade to 5.3 now.

Tips to make Machine

Venkatesh Attuluri — Mon, 29 Sep 2014 15:58:28 GMT

Tips to make Machine Authentication Work - PEAP Authentication

https://supportforums.cisco.com/document/87611/tips-make-machine-authentication-work-peap-authentication

I haven't done it with ACS

nspasov — Tue, 30 Sep 2014 06:38:40 GMT

I haven't done it with ACS but it should be similar to ISE:

1. You configure your WLAN settings with the appropriate 802.1x settings. However, in addition, under >Security > Layer 2 > You need to check "Mac Filtering." Then under the AAA servers tab, make sure that your ISE server(s) is listed under both authentication and accounting

2. In ACS, you will need to:

2.1. Create an Identity Store Sequence that includes both AD and Internal Endpoints/hosts

2.2. Create all of the hosts/static MACs under Users and Identity Stores > Internal Identity Stores > Hosts

2.3. Create an Authentication policy that allows MAB (PAP/ASCII > Detec PAP as Host Lookup) and the protocol that you are using for AD authentication (Usually PEAP or EAP-MD5). The policy should be using the previously created Identity Store Sequence that includes both AD and Internal Hosts

2.3. Create an Authorization policy that checks for both the membership of an AD group (For instance, domain computers or domain users) AND for device membership in "Local Hosts"

2.4. Return an "Authorization Profile" with desired permissions

Hope this helps!

Thank you for rating helpful posts!

Thank a lot Neno. I will try

jayapraki — Tue, 30 Sep 2014 06:45:50 GMT

Thank a lot Neno. I will try and update the same.

No problem. Btw, a couple of

nspasov — Tue, 30 Sep 2014 07:28:02 GMT

No problem. Btw, a couple of corrections:

1. The identity store sequence does NOT need to include "internal hosts" I just tested this (ISE only again) and AD only is OK. I believe you need this if you are going to do regular MAB

2. The SSID does not need to have "Mac Filtering" checked. Again, I just tested this in my lab with ISE and can confirm that it is not needed.

Everything else should be OK 🙂 I would test this with ACS but my lab is not integrated with it yet and I don't currently have time to do it. Maybe later in the week if time allows. Anyways, give it a try and see how far you can get. The nice thing about ACS 5 vs 4 is that you get a lot more log info so troubleshooting is much easier.

Thank you for rating helpful posts!

Re: No problem. Btw, a couple of

ittechk4u1 — Wed, 01 Aug 2018 07:41:33 GMT

Hi nspasov,
Could you please help me to et tup 802.1x with MAC filtering

1. I configured a SSID with 802.1x

2. Configured ISE rules

Authentication for : MAB

Autz: wireless dot1x and PEAP and Identity Group EQUALS TEST

Test is where my mac address is stored.

but still it not working...

Thanks