09-25-2014 10:32 PM - edited 03-10-2019 10:03 PM
HI,
Can any one clarify whether we can do the MAC address authentication and the Radius server authentication in the Wireless network. In my network i have WLC, ACS and AD server.
Thanks & Regards,
Jayaprakash.K.V
09-26-2014 12:00 AM
What do you mean by "Radius Server Authentication" ?
09-26-2014 12:05 AM
I mean the AD authentication.
09-28-2014 02:07 AM
Ah ok :) So yes, you should be able to perform your user or machine based authentication against AD and also check the MAC address against the database of your Radius server. I have personally done this with both ISE and ACS. In the WLC you will set your regular 802.1x settings and also check "mac filtering." Then you have to make sure that your Radius servers are configured on the WLC and set to be used by that SSD, otherwise the mac filtering mechanism will use the WCL's local database.
Hope this helps!
Thank you for rating helpful posts!
09-28-2014 09:58 PM
Thank you Neno Spasov.
Will this work without ISE. Can you please share any relevent document.
Thanks in advance.
09-28-2014 11:25 PM
What do you plan to use for Radius server?
09-28-2014 11:28 PM
I am using ACS 4.3 and planning to upgrade to 5.3 now.
09-29-2014 11:38 PM
I haven't done it with ACS but it should be similar to ISE:
1. You configure your WLAN settings with the appropriate 802.1x settings. However, in addition, under >Security > Layer 2 > You need to check "Mac Filtering." Then under the AAA servers tab, make sure that your ISE server(s) is listed under both authentication and accounting
2. In ACS, you will need to:
2.1. Create an Identity Store Sequence that includes both AD and Internal Endpoints/hosts
2.2. Create all of the hosts/static MACs under Users and Identity Stores > Internal Identity Stores > Hosts
2.3. Create an Authentication policy that allows MAB (PAP/ASCII > Detec PAP as Host Lookup) and the protocol that you are using for AD authentication (Usually PEAP or EAP-MD5). The policy should be using the previously created Identity Store Sequence that includes both AD and Internal Hosts
2.3. Create an Authorization policy that checks for both the membership of an AD group (For instance, domain computers or domain users) AND for device membership in "Local Hosts"
2.4. Return an "Authorization Profile" with desired permissions
Hope this helps!
Thank you for rating helpful posts!
09-29-2014 11:45 PM
Thank a lot Neno. I will try and update the same.
09-30-2014 12:28 AM
No problem. Btw, a couple of corrections:
1. The identity store sequence does NOT need to include "internal hosts" I just tested this (ISE only again) and AD only is OK. I believe you need this if you are going to do regular MAB
2. The SSID does not need to have "Mac Filtering" checked. Again, I just tested this in my lab with ISE and can confirm that it is not needed.
Everything else should be OK :) I would test this with ACS but my lab is not integrated with it yet and I don't currently have time to do it. Maybe later in the week if time allows. Anyways, give it a try and see how far you can get. The nice thing about ACS 5 vs 4 is that you get a lot more log info so troubleshooting is much easier.
Thank you for rating helpful posts!
08-01-2018 12:41 AM
Hi nspasov,
Could you please help me to et tup 802.1x with MAC filtering
1. I configured a SSID with 802.1x
2. Configured ISE rules
Authentication for : MAB
Autz: wireless dot1x and PEAP and Identity Group EQUALS TEST
Test is where my mac address is stored.
but still it not working...
Thanks
09-29-2014 08:58 AM
Tips to make Machine Authentication Work - PEAP Authentication
https://supportforums.cisco.com/document/87611/tips-make-machine-authentication-work-peap-authentication
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide