12-14-2009 12:17 AM - edited 03-10-2019 04:50 PM
Hello everyone!
I know there is a change in RADIUS to authenticate a user using his mac-address. Is it possible with TACACS?
Solved! Go to Solution.
12-14-2009 11:22 AM
Here is an example on how to setup an AP against ACS:
Complete these steps to set up the AP on the ACS:
On the ACS server, click Network Configuration on the left.
To add a AAA client, click Add Entry.
Enter these values in the boxes:
AAA Client IP Address—IP_of_your_AP
Key—Make up a key (make sure the key matches the AP shared secret key)
Authenticate Using—RADIUS (Cisco Aironet)
Click Submit & Restart.
Complete these steps:
From the ACS main menu, click on the User Setup button.
In the User text box, enter the MAC address to add to the user database.
Note: The MAC address must be exactly as it is sent by the AP for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is being reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.
On the User Setup screen, enter the MAC address in the Secure-PAP password text box.
Note: The MAC address must be exactly as it is sent by the AP for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is being reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.
Check the Separate (CHAP/MS-CHAP) box.
Enter a password for CHAP/MS-CHAP (this password should be different from the MAC address).
Click Submit.
Complete these steps:
Choose Security > Server Manager.
From the Current Server List drop-down list, choose RADIUS.
Enter the ACS IP address.
Enter the shared secret (must match the key in ACS).
Click Apply.
From the EAP Authentication drop-down list, choose the RADIUS server's IP address.
Click Apply.
Complete these steps for WEP encryption only:
Choose the SSID from the Current SSID List, or enter a new SSID in the SSID field.
Check the Open Authentication box.
From the drop-down list, choose with EAP.
Check the Network EAP box.
Click Apply.
Complete these steps for WEP encryption only:
Choose Security > Encryption Manager.
Click the WEP Encryption radio button.
From the drop-down list, choose Mandatory.
Click the Encryption Key 1 radio button.
Enter the key.
From the Key Size drop-down list, choose 128.
Click Apply.
12-14-2009 08:39 AM
The MAC Address authentication works only in an EAP Protocol environment, TACACS does not support EAP.
Here is an old discussion about the above statement:
https://learningnetwork.cisco.com/message/8820
Hope this helps,
12-14-2009 10:13 AM
Thank you for your answer and the link.
Everyone says EAP is not supported in TACACS, but there is EAP configuration in TACACS, especially PEAP, LEAP and etc.
12-14-2009 10:46 AM
EAP for TACACS? Do you see it in ACS? Could you instruct us where that is?
12-14-2009 10:51 AM
Sure. Go to System Configuration, and then to Global Authentication Setup, you will find PEAP, LEAP and other EAP settings
12-14-2009 11:05 AM
In this section we are not really looking at the TACACS options. We are actually looking at what the ACS Server supports for EAP authentication types:
ACS supports both protocols Radius and TACACS, but TACACS does not support the EAP methods...so if we have a Radius Client (Switch, AP...) then we can setup MAC authentication, please look at this example:
12-14-2009 11:12 AM
Ok, thank you.
So how can I configure MAC address based authentication with ACS to grand wireless access only to specific users?
12-14-2009 11:22 AM
Here is an example on how to setup an AP against ACS:
Complete these steps to set up the AP on the ACS:
On the ACS server, click Network Configuration on the left.
To add a AAA client, click Add Entry.
Enter these values in the boxes:
AAA Client IP Address—IP_of_your_AP
Key—Make up a key (make sure the key matches the AP shared secret key)
Authenticate Using—RADIUS (Cisco Aironet)
Click Submit & Restart.
Complete these steps:
From the ACS main menu, click on the User Setup button.
In the User text box, enter the MAC address to add to the user database.
Note: The MAC address must be exactly as it is sent by the AP for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is being reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.
On the User Setup screen, enter the MAC address in the Secure-PAP password text box.
Note: The MAC address must be exactly as it is sent by the AP for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is being reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.
Check the Separate (CHAP/MS-CHAP) box.
Enter a password for CHAP/MS-CHAP (this password should be different from the MAC address).
Click Submit.
Complete these steps:
Choose Security > Server Manager.
From the Current Server List drop-down list, choose RADIUS.
Enter the ACS IP address.
Enter the shared secret (must match the key in ACS).
Click Apply.
From the EAP Authentication drop-down list, choose the RADIUS server's IP address.
Click Apply.
Complete these steps for WEP encryption only:
Choose the SSID from the Current SSID List, or enter a new SSID in the SSID field.
Check the Open Authentication box.
From the drop-down list, choose with EAP.
Check the Network EAP box.
Click Apply.
Complete these steps for WEP encryption only:
Choose Security > Encryption Manager.
Click the WEP Encryption radio button.
From the drop-down list, choose Mandatory.
Click the Encryption Key 1 radio button.
Enter the key.
From the Key Size drop-down list, choose 128.
Click Apply.
12-14-2009 11:34 AM
Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide