Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1115
Views
0
Helpful
3
Replies

802.1x mac based authentication

Billy Dodson
Level 1
Level 1

‎10-20-2004 11:30 AM - edited ‎03-10-2019 01:51 PM

We have Cisco ACS 3.3 is there a way to do authentication based on mac address, instead of username and password? We are looking to stop things such as user purchased access points and what not. Any info would be great.

Labels:
0 Helpful
3 Replies 3

scottosan
Level 1
Level 1

‎10-20-2004 12:07 PM

The ACS will do Mac authentication, but it will not solve the rouge AP problem. To accomplish MAC authentication it is neccessary to configure the ACS and the AP. Any attemps made to connect through an AP that has been configured for MAC authentication will not be allowed unless they hav an account on ACS. As for controlling the rouges, I can only suggest using port security on your swtiches.

0 Helpful

Billy Dodson
Level 1
Level 1
In response to scottosan

‎10-20-2004 05:47 PM

If the ACS will do Mac authentication, I am confused as to why this would not solve the rouge AP problem. If any device was plugged into the switch that was not configured for access in the ACS server, could you not force it into some sort of guest vlan?

0 Helpful

scottosan
Level 1
Level 1
In response to Billy Dodson

‎10-21-2004 06:07 AM

Yes you are right, I misunderstood you. I was under the impression that you were talking about doing MAC based authentication on your AP's, not the switches. That is why I made mention to port security.

The 2 options would be standard port security or 802.1x port security if you switches support this.

In order to use the 802.1X port security, your switch would need to support it and the clients connecting to the switch would require a supplicant (EAP-TLS, EAP-TTLS, etc) in order for them to work, not by MAC address alone.

You can configure standard port security on the switch which will accomplish your intentions and not even need to use the ACS server.

standard port base security by MAC:

http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a008007d3ce.html

802.1x port based security:

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801a6c72.html

0 Helpful
Customers Also Viewed These Support Documents