Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2295
Views
0
Helpful
3
Replies

Mac Authentication Bypass List with Expiration dates

Go to solution
david.owen
Level 1
Level 1

‎11-14-2012 12:37 PM - edited ‎03-10-2019 07:47 PM

Hi everybody,

We are currently implementing Dot1x at my company, using Active Directory accounts and the Cisco Mobility Client with NAM module, as well as Mac Authentication Bypass lists for our non-supplicant capable devices.

We frequently have Contractors come on-site, and we would like to give them a 30-day period of wired network access via MAB. Is there a way to set an expiration date on a MAB list or will they need to be manually removed from the list?

Thanks in advance,

Dave

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to david.owen

‎11-15-2012 02:47 PM

David,

You can make this work however the account disablement feature was reintroduced into ACS 5.3, what you can do for your MAB users is set the access policy to point ot your internal users, configure accounts that have the mac address as the username (ie - 123456789012) and the same as the password and you can set the account to expire. Also acs 5.4 is out so your best bet would be just to upgrade to the latest code.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp195861

In the meantime you can consider using ISE since the guest services and radius authentication are configured under the base licenses set. This will allow you to create user accounts in a guest portal and you can push down ACLs to what a vendor would need access to.

thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎11-14-2012 03:01 PM

David,

What are you using as your radius server?

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
david.owen
Level 1
Level 1
In response to Tarik Admani

‎11-15-2012 02:29 PM

We are using Cisco Secure ACS 5.2

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to david.owen

‎11-15-2012 02:47 PM

David,

You can make this work however the account disablement feature was reintroduced into ACS 5.3, what you can do for your MAB users is set the access policy to point ot your internal users, configure accounts that have the mac address as the username (ie - 123456789012) and the same as the password and you can set the account to expire. Also acs 5.4 is out so your best bet would be just to upgrade to the latest code.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp195861

In the meantime you can consider using ISE since the guest services and radius authentication are configured under the base licenses set. This will allow you to create user accounts in a guest portal and you can push down ACLs to what a vendor would need access to.

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents