Solved: Re: 802.1X AND MAC address Authentication simultaneously?

JDores · ‎12-22-2017

Hi experts,

I have a customer that wants to understand if we can authentication a user using both 802.1X AND Mac address authentication at the same time, i.e., not only make sure the user/pass is correct but that the MAC address of his device should be granted access.

Does the 802.1X RADIUS Message to ISE also include the MAC Address of the device so that we can also use that MAC Address as an additional layer of compliance to grant access?

Thanks in advance,

José

Jason Kunst · ‎12-22-2017

Yes you would setup an authorization policy with a basic rule

If AllowedEndpoints and dot1x then permit access

View solution in original post

Jason Kunst · ‎12-22-2017

Yes you would setup an authorization policy with a basic rule

If AllowedEndpoints and dot1x then permit access

Craig Hyps · ‎12-22-2017

To clarify and expand on comments to internal post, there is only one authentication (802.1X) in this scenario. As Jason noted, you can also validate the Calling-Station-Id (MAC address of LAN user) to an allowed list such as Endpoint Identity Group with specific permissions.

JDores · ‎12-22-2017

Great, thank you both for your quick replies!

gbekmezi-DD · ‎12-22-2017

This is assuming you have a system (import or API) to add endpoints and assign them to identity groups in place.