01-17-2014 02:17 AM - edited 03-10-2019 09:17 PM
Hi,
I want to authenticate WLC clients and compare their MAC address with LDAP attributes.
We stored MAC address for each user in our LDAP server.
I have to retrieve MAC address stored by ACS in policy rules to compare with LDAP value.
The only attribute containing the MAC address I found is "Calling-Station-ID" in "RADIUS-IETF" dictionary.
I dont know if this attribute will always be the MAC address...
Is it possible to retrieve an attribute "MAC address"?
Thanks for your help,
Patrick
Solved! Go to Solution.
01-17-2014 10:13 PM
if you are using 802.1x or mac filtering, the device username is used as the mac address, or the calling-station-id, the time you will not see the mac address is when you are doing local web auth with external authentication to ACS. Also for vpn users you see this and also in auth-proxy conditions.
For WLC and dot1x mac address is always used for the calling-station-id.
Hope this helps.
Tarik Admani
*Please rate helpful posts*
01-17-2014 10:13 PM
if you are using 802.1x or mac filtering, the device username is used as the mac address, or the calling-station-id, the time you will not see the mac address is when you are doing local web auth with external authentication to ACS. Also for vpn users you see this and also in auth-proxy conditions.
For WLC and dot1x mac address is always used for the calling-station-id.
Hope this helps.
Tarik Admani
*Please rate helpful posts*
01-19-2014 10:38 PM
Tarik - I did not understand this:
"the device username is used as the mac address"
what do you exactly mean?
Rating useful replies is more useful than saying "Thank you"
01-19-2014 10:49 PM
I was referring to the mac-filtering operation and how the wlc will send the mac address as the username and password to the radius server. I was referring to the device as the WLC and not the client which lead to the confusion on my end.
Thanks for bringing this up for clarification.
Tarik Admani
*Please rate helpful posts*
01-19-2014 11:10 PM
Thanks Tarik for clarification.
But I am a bit confused now.
You said that the device mac address is used instead the username, and you mean the WLC when you say the device? am I understanding correctly?
or (what I think you mean is) the WLC sends the user's request and put the user's mac address instead of the username when it sends the request to the ACS. right?
one question on the side, how will it behave if you have both 802.1x (with EAP) and MAC filter both configured under the SSID of the WLC?
Thanks.
Amjad
Rating useful replies is more useful than saying "Thank you"
01-19-2014 11:42 PM
or (what I think you mean is) the WLC sends the user's request and put the user's mac address instead of the username when it sends the request to the ACS. right?
That is correct
one question on the side, how will it behave if you have both 802.1x (with EAP) and MAC filter both configured under the SSID of the WLC?
I have not tested the EAP portion but this is documented to be an "AND" scenario where both should succeed in order for access to be granted. i have tested this where PSK will work in conjuction with mac-filtering.
I know in my experience when I leverage Radius NAC (for ISE deployments), I can only use mac-filtering and not any other form of PSK or EAP with mac-filtering, i dont know if this has changed since I tested this on the 7.4 release.
thanks,
Tarik Admani
*Please rate helpful posts*
01-20-2014 12:12 AM
Well,
The point is, if you'd like to choose 802.1x with MAC filtering with ACS 5.x for example, there will be only one policy that will match the request; either 802.1x or MAC, but not both.
This is the challenging point.
Rating useful replies is more useful than saying "Thank you"
04-17-2015 10:44 AM
Hi,
Have you configured ACS policy as per your requirement. I am also stuck in such situation where need to authentication based on Mac addresses store in ACS database and AD authentication. If you have configured these policy, please suggest.
Kamlesh
01-20-2014 07:45 AM
Hi Tarik,
Thanks for your quick reply.
In my case, I want users to authenticate with login/password of our LDAP server.
But, to enforce security, I would like to check their MAC Address that is stored in our LDAP.
On ACS, I configured LDAP Authentication.
Then I configured a policy rule "RADIUS-IETF:Calling-Station-ID equals LDAP:mac-attribute" and it worked without problem.
I wanted to know if there is another attribute than RADIUS-IETF:Calling-Station-ID which stored the MAC address.
I was not sure that RADIUS-IETF:Calling-Station-ID always means MAC address.
Thanks again,
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide