02-10-2017 02:50 AM - last edited on 03-25-2019 05:35 PM by ciscomoderator
I have ACS 5.8 and I am trying to use x509 authentication but use the devices mac addresses to identify which authorization policy the devices would match. I am not having any issues getting them to authenticate with the certificates but I can not figure out how to reasonably get them to uniquely match an authorization policy.
There are approx 3K devices and they are all separated throughout the network and require different vlan assignments. I would like to use their MAC addresses to uniquely identify each device for its authorization policy but I am uncertain how to do that with X509 authentication. I want all of my authentication and authorization to be handled by ACS with no external identity stores. If I could use the internal host identity store for authorization policy selection and x509 certificates for authentication then that would be ideal.
Is there a way to have an internal database of MACs or other uniquely identified information I could reference in the authorization policy? I have used MAB which references an identity group that is used in the authorization policy for uniquely assigning each device that connects.
Perfect scenario: A device starts 802.1x authentication and presents its certificate to ACS then ACS uses the devices MAC address to match it to an authorization policy to be assigned a authorization profile.
Thanks for any help!
02-11-2017 01:51 PM
Hi
I'm sorry but not understood what you want to achieve.
You have 3k devices and would like to apply 1 rule out mac address?
Anyhow, ACS have internal identity store for hosts and users.
You're authenticating your devices through certificates. Who is your CA? Your AD? If yes, why not using group membership of hosts to apply specific authorization rules?
What type of certificates are you using? User or machine?
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
02-11-2017 05:20 PM
I think i have got it figured out. I will try and use end device filters to filter by mac address after certificate authentication. I can apply the end device filters in the authorization policy and that should do it.
02-11-2017 06:38 PM
Ok. Let me know if you need further help.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide