Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1414
Views
0
Helpful
8
Replies

802.1x Mac-Adress Based Authentication

mhernandez11
Level 1
Level 1

‎05-24-2005 12:44 PM - edited ‎03-10-2019 02:09 PM

I am wondering if we are going to see or now have the ability to authenticate hosts on the lan with something other than a Username / Password? I am mostly concerned with ports on my network that the end device is a non 802.1x compliant device. Anyone have any insight as to what others are doing? Currently i am running ACS 3.3.2 and I am very succesful in deploying 802.1x to ports on my LAN, however we run a mix of unix based devices which are vendor supported and printers are another source of concern.

??? :)

Labels:
0 Helpful
8 Replies 8

rmihalcin
Level 1
Level 1

‎05-24-2005 04:51 PM

mhernandez11

You could use VMPS which is mac-address authentication for those fixed devices. You would have to track the ports down and change the port type to "switchport access vlan dynamic". The other thing that comes to mind is switchport port security for the printers.

Bob

0 Helpful

mhernandez11
Level 1
Level 1
In response to rmihalcin

‎05-24-2005 05:52 PM

VMPS is not available on ciscoIOS on switches. All of our switches are running in nativemode (ciscoios) so we lost all VMPS capabilities, only 802.1x remains.

0 Helpful

rmihalcin
Level 1
Level 1
In response to mhernandez11

‎05-25-2005 06:13 PM

mhernandez11

The vmps "server" has to be catalyst OS, not the client switches. The "switchport" command is native IOS.I don't know how may devices you have, but you just need to run catalyst code on 1 or 2 switches as the servers.

And how about switchport security?

Bob

0 Helpful

mhernandez11
Level 1
Level 1
In response to rmihalcin

‎05-26-2005 04:15 AM

We have absolutely no devices running catOS, thats the reason i am wondering about 802.1x because we are succesfully deploying that amongst all of end point devices. I have read that in wireless there is MAC address based authentication through leap.

0 Helpful

Josef Oduwo
Level 7
Level 7
In response to rmihalcin

‎05-26-2005 04:20 AM

Bob, mhernandez11,

Depends too, on how big your VMPS config database is...

It can get unmanageable and in my (little) experience requires constant watching.

Josef.

0 Helpful

mhernandez11
Level 1
Level 1
In response to Josef Oduwo

‎05-26-2005 04:51 AM

It is a management nightmare. Additionally i am concerned about the mac address based authentication in 802.1x because of the same issues however it will be a smaller group of devices such as printers and other non compliant equipment.

0 Helpful

ericds
Level 1
Level 1

‎05-26-2005 05:17 PM

We had pretty good luck using a Cold Fusion front end that forces users to authenticate with their AD credentials. It pulls the MAC address and host name and user/machine details and puts them in an ODBC database.

We modified the sample stub routine to have the CSDB stub routine add the MAC to the local database in the PAP field.

Kind of a nice compromise of identity and machine based authentication without the complexities of PEAP/EAP-FAST etc.

0 Helpful

jasper.grennigan
Level 1
Level 1
In response to ericds

‎05-27-2005 07:12 AM

Eric,

Sounds like you have a pretty nifty operation going there.

Was it written inhouse? How much effort do you put in maintaining the database?

JG.

0 Helpful
Customers Also Viewed These Support Documents