Cisco Community
English
Register
The War in Ukraine - Supporting customers, partners and communities. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2867
Views
0
Helpful
8
Replies
fgasimzade
Enthusiast
Enthusiast
‎12-14-2009 12:17 AM
‎12-14-2009 12:17 AM

Mac address based authentication with TACACS

Hello everyone!

I know there is a change in RADIUS to authenticate a user using his mac-address. Is it possible with TACACS?

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
ansalaza
Beginner
Beginner
In response to fgasimzade
‎12-14-2009 11:22 AM
‎12-14-2009 11:22 AM

Here is an example on how to setup an AP against ACS:

Set Up the AP on the ACS

Complete these steps to set up the AP on the ACS:

  1. On the ACS server, click Network Configuration on             the left.

  2. To add a AAA client, click Add             Entry.

  3. Enter these values in the boxes:

    • AAA Client IP Address—IP_of_your_AP

    • Key—Make up a key (make sure the key matches the AP shared secret                 key)

    • Authenticate Using—RADIUS (Cisco Aironet)

  4. Click Submit & Restart.

MAC Authentication

Add a MAC Address to ACS

Complete these steps:

  1. From the ACS main menu, click on the User Setup button.

  2. In the User text box, enter the MAC address to add to the user             database.

    Note: The MAC address must be exactly as it is sent by the AP for both                 the username and the password. If authentication fails, check the failed                 attempts log to see how the MAC is being reported by the AP. Do not cut and                 paste the MAC address, as this can introduce phantom characters.

  3. On the User Setup screen, enter the MAC address in the Secure-PAP             password text box.

    Note: The MAC address must be exactly as it is sent by the AP for both                 the username and the password. If authentication fails, check the failed                 attempts log to see how the MAC is being reported by the AP. Do not cut and                 paste the MAC address, as this can introduce phantom characters.

  4. Check the Separate (CHAP/MS-CHAP) box.

  5. Enter a password for CHAP/MS-CHAP (this password should be             different from the MAC address).

  6. Click Submit.

IOS AP Web Interface

Complete these steps:

  1. Choose Security > Server             Manager.

  2. From the Current Server List drop-down list, choose             RADIUS.

  3. Enter the ACS IP address.

  4. Enter the shared secret (must match the key in             ACS).

  5. Click Apply.

  6. From the EAP Authentication drop-down list, choose the RADIUS             server's IP address.

  7. Click Apply.

SSID Manager (WEP Encryption Only)

Complete these steps for WEP encryption only:

  1. Choose the SSID from the Current SSID List, or enter a new SSID in             the SSID field.

  2. Check the Open Authentication box.

  3. From the drop-down list, choose with EAP.

  4. Check the Network EAP box.

  5. Click Apply.

Encryption Manager (WEP Encryption Only)

Complete these steps for WEP encryption only:

  1. Choose Security > Encryption             Manager.

  2. Click the WEP Encryption radio button.

  3. From the drop-down list, choose Mandatory.

  4. Click the Encryption Key 1 radio button.

  5. Enter the key.

  6. From the Key Size drop-down list, choose 128.

  7. Click Apply.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a13.shtml#mac

View solution in original post

0 Helpful
8 REPLIES 8
ansalaza
Beginner
Beginner
‎12-14-2009 08:39 AM
‎12-14-2009 08:39 AM

The MAC Address authentication works only in an EAP Protocol environment, TACACS does not support EAP.

Here is an old discussion about the above statement:

https://learningnetwork.cisco.com/message/8820

Hope this helps,

0 Helpful
fgasimzade
Enthusiast
Enthusiast
In response to ansalaza
‎12-14-2009 10:13 AM
‎12-14-2009 10:13 AM

Thank you for your answer and the link.

Everyone says EAP is not supported in TACACS, but there is EAP configuration in TACACS, especially PEAP, LEAP and etc.

0 Helpful
ansalaza
Beginner
Beginner
In response to fgasimzade
‎12-14-2009 10:46 AM
‎12-14-2009 10:46 AM

EAP for TACACS? Do you see it in ACS? Could you instruct us where that is?

0 Helpful
fgasimzade
Enthusiast
Enthusiast
In response to ansalaza
‎12-14-2009 10:51 AM
‎12-14-2009 10:51 AM

Sure. Go to System Configuration, and then to Global Authentication Setup, you will find PEAP, LEAP and other EAP settings

0 Helpful
ansalaza
Beginner
Beginner
In response to fgasimzade
‎12-14-2009 11:05 AM
‎12-14-2009 11:05 AM

In this section we are not really looking at the TACACS options. We are actually looking at what the ACS Server supports for EAP authentication types:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wp349274

ACS supports both protocols Radius and TACACS, but TACACS does not support the EAP methods...so if we have a Radius Client (Switch, AP...) then we can setup MAC authentication, please look at this example:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/standalone_mab_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1056526

0 Helpful
fgasimzade
Enthusiast
Enthusiast
In response to ansalaza
‎12-14-2009 11:12 AM
‎12-14-2009 11:12 AM

Ok, thank you.

So how can I configure MAC address based authentication with ACS to grand wireless access only to specific users?

0 Helpful
ansalaza
Beginner
Beginner
In response to fgasimzade
‎12-14-2009 11:22 AM
‎12-14-2009 11:22 AM

Here is an example on how to setup an AP against ACS:

Set Up the AP on the ACS

Complete these steps to set up the AP on the ACS:

  1. On the ACS server, click Network Configuration on             the left.

  2. To add a AAA client, click Add             Entry.

  3. Enter these values in the boxes:

    • AAA Client IP Address—IP_of_your_AP

    • Key—Make up a key (make sure the key matches the AP shared secret                 key)

    • Authenticate Using—RADIUS (Cisco Aironet)

  4. Click Submit & Restart.

MAC Authentication

Add a MAC Address to ACS

Complete these steps:

  1. From the ACS main menu, click on the User Setup button.

  2. In the User text box, enter the MAC address to add to the user             database.

    Note: The MAC address must be exactly as it is sent by the AP for both                 the username and the password. If authentication fails, check the failed                 attempts log to see how the MAC is being reported by the AP. Do not cut and                 paste the MAC address, as this can introduce phantom characters.

  3. On the User Setup screen, enter the MAC address in the Secure-PAP             password text box.

    Note: The MAC address must be exactly as it is sent by the AP for both                 the username and the password. If authentication fails, check the failed                 attempts log to see how the MAC is being reported by the AP. Do not cut and                 paste the MAC address, as this can introduce phantom characters.

  4. Check the Separate (CHAP/MS-CHAP) box.

  5. Enter a password for CHAP/MS-CHAP (this password should be             different from the MAC address).

  6. Click Submit.

IOS AP Web Interface

Complete these steps:

  1. Choose Security > Server             Manager.

  2. From the Current Server List drop-down list, choose             RADIUS.

  3. Enter the ACS IP address.

  4. Enter the shared secret (must match the key in             ACS).

  5. Click Apply.

  6. From the EAP Authentication drop-down list, choose the RADIUS             server's IP address.

  7. Click Apply.

SSID Manager (WEP Encryption Only)

Complete these steps for WEP encryption only:

  1. Choose the SSID from the Current SSID List, or enter a new SSID in             the SSID field.

  2. Check the Open Authentication box.

  3. From the drop-down list, choose with EAP.

  4. Check the Network EAP box.

  5. Click Apply.

Encryption Manager (WEP Encryption Only)

Complete these steps for WEP encryption only:

  1. Choose Security > Encryption             Manager.

  2. Click the WEP Encryption radio button.

  3. From the drop-down list, choose Mandatory.

  4. Click the Encryption Key 1 radio button.

  5. Enter the key.

  6. From the Key Size drop-down list, choose 128.

  7. Click Apply.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a13.shtml#mac

0 Helpful
fgasimzade
Enthusiast
Enthusiast
In response to ansalaza
‎12-14-2009 11:34 AM
‎12-14-2009 11:34 AM

Thank you!

0 Helpful
Latest Contents
DOT1X IOS commands overview
Created by Meddane on 05-21-2022 03:14 PM
0
0
0
0
Radius server configuration for 802.1X   Server radius test1 Address ipv4 10.1.1.1 Key 1234 ! Server radius test2 Address ipv4 10.1.1.2 Key 1234 ! aaa group server radius TEST-gr  server name test1  server name test2 !      &... view more
Umbrella’s cloud-delivered firewall (CDFW)
Created by Meddane on 05-21-2022 03:04 PM
0
0
0
0
Umbrella’s cloud-delivered firewall (CDFW) is a cool features that provides Firewall Services in the Cisco Umbrella Cloud without the need to deploy on-premises firewall devices and visibility and control for internet traffic across all branch offices. To... view more
GRE over IPSec Crypto map versus Tunnel Protection (IPsec Pr...
Created by Meddane on 05-21-2022 03:01 PM
0
0
0
0
GRE over IPSec Crypto map   int tunnel 1ip add 172.16.1.1 255.255.255.0tunnel source G0/0tunnel destination 2.2.2.2!access-list 100 permit gre host 1.1.1.1 host 2.2.2.2!crypto ipsec transform-set TS esp-aes esp-sha-hmac!crypto map TESTset peer 2.2.2.... view more
ISE URL Redirection on IOS-XE
Created by Mohsin_Mohamed on 05-20-2022 01:04 PM
0
0
0
0
SymptomsDownloadable ACL (dACL) does not take effect on the IOS-XE Network Access DevicesDiagnosisCreating redirection ACL on the IOS-XE device failed to redirect the specified traffic for captive portal redirectionSolutionEnable device tracking, Below is... view more
Network Security All-in-one ASA FTD WSA Umbrella ISE VPN Lay...
Created by Meddane on 05-17-2022 06:18 AM
2
0
2
0
Multiple Cisco Security Technologies in a single book : ASA Firepower, WSA, Umbrella, ISE and VPN with 100 percent 100 practical scenarios with 70 Labs to cover important topics of the Cisco SCOR Exam. The best part is ISE with interesting scenarios wi... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube