cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1343
Views
0
Helpful
3
Replies
Highlighted
Beginner

Mac Authentication Bypass List with Expiration dates

Hi everybody,

We are currently implementing Dot1x at my company, using Active Directory accounts and the Cisco Mobility Client with NAM module, as well as Mac Authentication Bypass lists for our non-supplicant capable devices.

We frequently have Contractors come on-site, and we would like to give them a 30-day period of wired network access via MAB. Is there a way to set an expiration date on a MAB list or will they need to be manually removed from the list?

Thanks in advance,

Dave

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

David,

You can make this work however the account disablement feature was reintroduced into ACS 5.3, what you can do for your MAB users is set the access policy to point ot your internal users, configure accounts that have the mac address as the username (ie - 123456789012) and the same as the password and you can set the account to expire. Also acs 5.4 is out so your best bet would be just to upgrade to the latest code.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp195861

In the meantime you can consider using ISE since the guest services and radius authentication are configured under the base licenses set. This will allow you to create user accounts in a guest portal and you can push down ACLs to what a vendor would need access to.

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*

View solution in original post

3 REPLIES 3
Highlighted
Advocate

David,

What are you using as your radius server?

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Highlighted

We are using Cisco Secure ACS 5.2

Highlighted

David,

You can make this work however the account disablement feature was reintroduced into ACS 5.3, what you can do for your MAB users is set the access policy to point ot your internal users, configure accounts that have the mac address as the username (ie - 123456789012) and the same as the password and you can set the account to expire. Also acs 5.4 is out so your best bet would be just to upgrade to the latest code.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp195861

In the meantime you can consider using ISE since the guest services and radius authentication are configured under the base licenses set. This will allow you to create user accounts in a guest portal and you can push down ACLs to what a vendor would need access to.

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*

View solution in original post

Content for Community-Ad