Solved: Cisco ACS 5.3 with Mac Authentication to users wireless

ivan.martin · ‎03-15-2013

Hello my name is Ivan

I'm working with a cisco wlc and acs 5.3 . I have two profile or ssid's and one of them is working with web authentication and the accounts exists in the local database of cisco acs.

I'll would like to know how can i should configure mac authentication on the cisco acs 5.3?

My purpose is authenticate users first by mac, and second by the account of local users in the cisco acs.

Thanks for your answer.

Regards.

Ivan

maldehne · ‎03-18-2013

"

I think it is not possible. sorry.

"

I think it is possible sorry.

check the identity policy

leave the authorization to default .

make sure that the host mac address is added to internal hosts store

and the users to be authenticated to internal users

the trick with the service type attribute

it should work as it worked with me like a charm.

Cisco products always rock, as well as TAC engineers.

----------------------------------------------------------------------------------------------------------

Please make sure to rate correct answer and mark this thread as answered right now

View solution in original post

Amjad Abdullah · ‎03-15-2013

Hello Ivan,

I am not sure if authentication by both mac and username is possible.

In ACS, usernames are saved in "internal users" identity group. mac addresses are saved in "internal hosts".

Either username and mac address can be sent to the ACS to check.
I am trying to find away in ACS to build a policy that looks for both username and pasword but I couldn't find something that helps.

When you enable mac filtering, your mac address is sent to the ACS server rather than the username. so you need to configure the ACS to look into the mac address in the local hosts (you must configure the mac addresses there).

But I am not able to find anyway to check both username and mac address both on the same time.

Tried for half an hour to look for any valid document says something else but I could not find any.

I think it is not possible. sorry.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

maldehne · ‎03-18-2013

"

I think it is not possible. sorry.

"

I think it is possible sorry.

check the identity policy

leave the authorization to default .

make sure that the host mac address is added to internal hosts store

and the users to be authenticated to internal users

the trick with the service type attribute

it should work as it worked with me like a charm.

Cisco products always rock, as well as TAC engineers.

----------------------------------------------------------------------------------------------------------

Please make sure to rate correct answer and mark this thread as answered right now

Amjad Abdullah · ‎03-18-2013

If it works then that is amazing.

Can you please ellaborate more about how it will work?

Will the client send two separate requests one for the user and one for the MAC? apparently no. It only sends one auth request with username.

Now, One of the rules will match and the auth will be successful. This is one auth check (username).

How will the mac address will be checked at this place???

Can you pleae elaborate?

Rating useful replies is more useful than saying "Thank you"

hkhrais · ‎03-18-2013

Thanks Mohammad ,

Your suggestion looks pretty cool . This is not a strange from you to reflect the problem in actual lab, you do know ACS and WLC very very well. You never say something and it doesn't work.

+5 is nothing but you deserve infinite thanks all the time.

Keep going .

BR

Hussam

maboawad · ‎03-19-2013

when ever there is a network issue, TAC engineer is the man, what would happen if this is escalation eng??

Mohamamd that was really great answer, thanks

i beleive if any one needs more clarrification, he can just ask to open TAC case and to make sure Mohammad Al dehne asign it.

Amjad Abdullah · ‎03-19-2013

I don't still believe that it works because it looks simply like an OR scenario, not AND scenario.

Can you please describe how it works?

When one rule is matched then auth stops with that specific rule and it does not go to the second rule. right? so if mac auth worked then user auth will not be tested.

It does not at all look like it checks BOTH username AND mac address.

Unless you explain it better to my difficult brain my lovely friend. ;-)

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

maldehne · ‎03-19-2013

If you don't belive something and you have doubts about it, the best way is to verify it.

This is what we normally call active thinking process where you doubt about everything and then you verify it

yourself.

Even though i will prove that to you my dear friend.

First of all to get it we should stand on the following fact......

How the WLC is going to communicate with the RADIUS server in case we have mac authentication with EAP.

First : the controller is going to send RADIUS access request with service type attribute set to call check

the ACS will verify if the MAC address is listed in cerain identity store on not based on the policy defined there.

once the mac address is found the ACS as we know is going to move to the authorization policy and will say ok based

at least on the default rule ( as i have done in my example )

but wait, your controller is not going to move beyond L2auth complete sate machine , the client will be stuck there since we have dot1x enabled.

At that time the WLC is going to send RADIUS access request again to the ACS , this time with service type attribute set to Framed value. so new EAP authentication is triggerred here , and the process goes normally .

Eventually we will have RADIUS accept and at this time the controller will say welcome to the club my friend , you are authenticated so move forward.

thats all talks brother.

If you do have more questions i will be more than happy to answer you.

BTW this is tested configuration believe it or not

------------------------------------------------------------------------------------

Your sincere appreciation is the best thing i would get ever

Amjad Abdullah · ‎03-19-2013

Dear Mohammad,

Thank you for your phone call.
Now, after your explanation during the call I understood how things work.

I'll also try to test the other scenarios (like the one posted by me earlier) if it also works. If it works though it will check the mac address without enabling the mac filtering on SSID.

It worths that you explan the explanation here for others to be useful for everyone.

Now, all what I hope from the original discussion owner to mark your post as "answered".

Greetings,

Amjad

Rating useful replies is more useful than saying "Thank you"

Amjad Abdullah · ‎03-18-2013

I am thinking of one way to get it to work:

- Add your mac list in the internal hosts.

- The identity group should look for the user (either in internal or external identity groups).

- The auth profile can be configured with a compund condition to match the RADIUS-IETF Calling-Station-ID attribute with the any of the internal hosts.

This way users should gain access IF AND ONLY IF their mac addresses are added in the internal host list.

THIS DOES NOT NEED YOU TO ENABLE MAC FILTERING IN THE SSID.

I think it should work this way. (if it does not work with dynamic compound condition it will surely work with static value and creating one rule per mac address).

Rating useful replies is more useful than saying "Thank you"

ivan.martin · ‎03-19-2013

Hello Amjad Abdullah, Madelhne, Mohammad Abo, Hussaim Khrais thanks for your their answers

I don't understand you very well, please could you explain me a summary about the advice to resolve the issue.

Regards

Ivan