cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1661
Views
0
Helpful
3
Replies

802.1x certificate authentication & MAC authorization

darknair
Level 1
Level 1

I have ACS 5.8 and I am trying to use x509 authentication but use the devices mac addresses to identify which authorization policy the devices would match. I am not having any issues getting them to authenticate with the certificates but I can not figure out how to reasonably get them to uniquely match an authorization policy.

There are approx 3K devices and they are all separated throughout the network and require different vlan assignments. I would like to use their MAC addresses to uniquely identify each device for its authorization policy but I am uncertain how to do that with X509 authentication. I want all of my authentication and authorization to be handled by ACS with no external identity stores. If I could use the internal host identity store for authorization policy selection and x509 certificates for authentication then that would be ideal.

Is there a way to have an internal database of MACs or other uniquely identified information I could reference in the authorization policy? I have used MAB which references an identity group that is used in the authorization policy for uniquely assigning each device that connects.

Perfect scenario: A device starts 802.1x authentication and presents its certificate to ACS then ACS uses the devices MAC address to match it to an authorization policy to be assigned a authorization profile.

Thanks for any help!

3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

Hi

I'm sorry but not understood what you want to achieve.

You have 3k devices and would like to apply 1 rule out mac address?

Anyhow, ACS have internal identity store for hosts and users. 

You're authenticating your devices through certificates. Who is your CA? Your AD? If yes, why not using group membership of hosts to apply specific authorization rules? 

What type of certificates are you using? User or machine?

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

I think i have got it figured out. I will try and use end device filters to filter by mac address after certificate authentication. I can apply the end device filters in the authorization policy and that should do it.

Ok. Let me know if you need further help. 

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question