cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6823
Views
25
Helpful
8
Replies

Cisco ACS 5.1 and MAC address identification/quarantining

brian.k.clarke
Level 5
Level 5

A client is rolling out ACS 5.1, with the eventual intent of customization network access based on Active Directory credentials (user/group, etc) – ACL’s and VLAN restrictions will be implemented as part of a “2nd phase” deployment.   For NOW, all they want is the ability to isolate devices connecting to the network by MAC address, meaning: if it’s a recognized MAC address (corporate asset), then allow full access through the port.  If it’s NOT a recognized MAC address (non-corporate asset), then place it in the guest network/VLAN.

I’m familiar with ACS operation, configuration of policies and authorization rules, and MAC Authentication Bypass (for devices that should not have to authenticate to gain access).  What I don’t know for sure (and haven’t yet been able to find), is if ACS has the ability to react simply to the MAC address and quarantine that host into a guest network.

Please confirm, and as always, reference links/docs are appreciated.

2 Accepted Solutions

Accepted Solutions

Hi,

Yes, you have the option to place a port in different VLANs according to the result of the authentication attempt:

Here are the possible events that can occur:

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_55_se/command/reference/cli1.html#wp11887556.

What you can do for example if the MAC address is unknown, is that the ACs will return an Access-Reject message (authentication failed), and you can configure on the switchport:

authentication event fail action authorize vlan vlan-id

The result will be that all authentications that result in access-reject will make the switch to move the switchport to the configured vlan (vlan-id ).

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

Hi,

The goal you want to achieve is possible but not with MAB.

What you want can easily be done if you do machine authentication rather then MAB.

With machine authentication you can have something called Machine Access Restriction, which mean that both machine and user authentication has to be done, for the user to have access to the network.

In this scenario, whenever a user tries to log in via dot1x, the ACS checks the machine on which the user is logging in, and the user authentication is only successfull if the machine authentication was successfull.

For this to work you have to register the machines in the domain as well as the users.

Machines that do not exist on the domain, will fail machine authentication, and no user will be allowed to login in that machine.

To configure this on the ACS you simply have to go to the Authorization part of the Access Policy, clic "Customize" and add the "Condition" "Was machine authenticated", as I show in the image below:

Then, you create a new Rule and this Condition will be available:

On the client side you need to make sure that they do dot1x machines authentication.

This allows you a very fast way of securing both machines and users, so that only trusted machines (that exist in the domain) are allowed on the network and users can only access network by logging in from a trusted machine.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

8 Replies 8

Tiago Antunes
Cisco Employee
Cisco Employee

Hi,

You can create a list of truste MAC addresses on the ACS itself and use this as DB.

If you want to perform authentication based on MAC address then you have to do MAB on the switch.

Here is a complete document about dot1x in switches with ACS 5:

https://supportforums.cisco.com/docs/DOC-13545.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Cisco ACS 5.1 and MAC address identification/quarantining -

Thanks,

Rajasekaran G.

Thanks for the response, Tiago.   I understand MAB, but my question concerns how the "non-trusted" MAC addresses will be handled.  Again, if a user plugs in a non-corporate laptop w/ an unrecognized MAC address (whether they have a running supplicant or not), I don't want them to see an authentication screen or anything - just move the box into the "guest" VLAN on the network.   If it IS a trusted MAC, then the 802.1x authentication should prompt for user credentials as normal.

Is this a possibility?  "Unrecognized MAC = guest VLAN", right away.  I've haven't round a doc that really addresses this directly.  (Plus, like I'd mentioned, this is an interim "Phase 1" solution - they intend on expanding the ACS functionality down the road)

Thanks again

Hi,

Yes, you have the option to place a port in different VLANs according to the result of the authentication attempt:

Here are the possible events that can occur:

http://www.cisco.com/en/US/partner/docs/switches/lan/catalyst3560/software/release/12.2_55_se/command/reference/cli1.html#wp11887556.

What you can do for example if the MAC address is unknown, is that the ACs will return an Access-Reject message (authentication failed), and you can configure on the switchport:

authentication event fail action authorize vlan vlan-id

The result will be that all authentications that result in access-reject will make the switch to move the switchport to the configured vlan (vlan-id ).

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Perfect - thank you!

ok, one more follow-up if I may...   reading into the "authentication event fail" command, it appears that this reacts to a client either 1) failing to provide the correct authentication credentials, and/or 2) if the client is unable to provide EAPOL information (such as a client that has no supplicant).

I'm still focused on just the MAC address, though - let's say a non-corporate Windows 7 laptop is brought in by an actual AD user on this network.  So, the laptop has the AAA supplicant, and the user could provide valid AD credentials to the 802.1x process.   I STILL don't want the laptop to be allowed on the network, since the MAC address is not recognized -

Can this be done?  The MAC address is not on the "approved" list, so 802.1x authentication shouldn't even apply - quarantine the device into the guest VLAN.

Thanks again!

Hi,

The goal you want to achieve is possible but not with MAB.

What you want can easily be done if you do machine authentication rather then MAB.

With machine authentication you can have something called Machine Access Restriction, which mean that both machine and user authentication has to be done, for the user to have access to the network.

In this scenario, whenever a user tries to log in via dot1x, the ACS checks the machine on which the user is logging in, and the user authentication is only successfull if the machine authentication was successfull.

For this to work you have to register the machines in the domain as well as the users.

Machines that do not exist on the domain, will fail machine authentication, and no user will be allowed to login in that machine.

To configure this on the ACS you simply have to go to the Authorization part of the Access Policy, clic "Customize" and add the "Condition" "Was machine authenticated", as I show in the image below:

Then, you create a new Rule and this Condition will be available:

On the client side you need to make sure that they do dot1x machines authentication.

This allows you a very fast way of securing both machines and users, so that only trusted machines (that exist in the domain) are allowed on the network and users can only access network by logging in from a trusted machine.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

I think that'll do it - thanks again!