01-25-2008 09:24 AM - edited 03-10-2019 03:37 PM
Hello everyone,
I am trying to get ACS to do MAC based authentication where upon client connection the switch forward the MAC address of the client to ACS to either authorize or unauthorize the port. I need to do this in an agentless fashion as most of the devices are not Windows based. Problems
1) Where to put the MAC addrtss in ACS. I am getting told 2 different things. One way is the create a user with the MAC address as the username AND password, have ACS reference the internal datyabase and I should be good the second way I am being told is with Network Access Profiles. Create a profile then under Athentication", enter the MAC address under Internal ACS DB.
SO far both was are still making the Windows based machines prompt for a user name and password. I can't have that. It has to be transparent to the end user. Can any point me in the right direction?
Thanks in advance! All replies rated.
01-25-2008 10:48 AM
You can go through MAC Auth bypass feature from following link:
12.2(37)SE - "Using IEEE 802.1x Authentication with MAC Authentication Bypass"
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12237se/scg/sw8021x.htm#wp1205506
Configuring MAC Auth bypass on 12.2(37)SE:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12237se/scg/sw8021x.htm#wp1196845
----------Commands Required on Switch--------------
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host
radius-server key
config t
interface
switchport access vlan
dot1x port-control auto
dot1x mac-auth-bypass
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
dot1x reauthentication
Create a AAA Client entry for the switch in ACS from Network configuration section.
And use the Authentication Protocol as RADIUS (Cisco IOS....)
And on ACS create an account for the client as,
Username : 0015c53ae40d
Password : 0015c53ae40d
If the MAC address of the client is 00-15-C5-3A-E4-0D
Regards,
~JG
01-29-2008 09:50 PM
Thanks. I can't get it working. I do have Network Devices Groups configured. DO you have this in your setup? COuld this be causing a problem?
01-30-2008 04:28 AM
either 802.1x client or nac client unistalled or turn of before doing the test
Regards
01-30-2008 04:25 AM
just make sure the client is not install or running on th window base client, if you want to use mac anthetication.
Regards
01-30-2008 05:33 AM
Hi!
I was handling my last project with AP with MAC based authentication. Please do the following..it will definitely work..
1. Create 1 vlan in any of the switches for MAC based authentication purpose. Say the VLAn id is VLAN 900 (IP: 10.10.10.1/24).
2. In ACS go to "Group Setup".Assign a name say "MAC"
3. Scroll down & go to "IETF RADIUS ATTRIBUTES". Go to Value 64 (Tunnel -Type). Choose Tag 1 & select VLAN from the drill down option.
4. Scroll down & go to "IETF RADIUS ATTRIBUTES". Go to Value 65 (Tunnel-Medium-Type). Choose Tag 1 & select 802 from the drill down option.
5. Scroll down & go to "IETF RADIUS ATTRIBUTES". Go to Value 81 (Tunnel -Type). Choose Tag 1 & write the vlan id no that u created into core/distribution for MAC based authentication purpose (we created VLAN 900...so write 900)
6. Now come to "User Setup".
7. Add the MAC address of wireless nic card of one of the laptop/desktop.
8. Click on edit.
9. In real name write the mac address of the wireless nic card of the end user in small letter without any space.
10. In Password Authentication select "ACS Internal Database " from the drill down menu.
11. In password & confirm password value write the mac address of that very registered user that we did in step 7.
12. Select the Group (that we created into step 2) MAC from the drill down menu in "Group to which the user is assigned"
13. Repect step 3,4 & 5 again in "IETF RADIU ATTRIBUTES"
14. In "network configuration" add ACS in AAA server setup & the corresponding AP in AAA client.
15. In AAA server setup provide IP of ACS, give the key, in AAA server type select "CiscoSecure ACS" from the drill down menu.
16. In AAA client setup add the IP of the AP,shared secret (must be same in ACS & AP). I "Authentication Using" option select "Radius-Cisco Aironet" from the drill down option.
17. From "system configuration" go to logging option & enable the reuired log settings so that passed/failed logs u can get.
18. Now go to AP.
19. In Server Manager from "Security" option.
20. Add the ACS server IP & give the shard secret key (it must be same in AP & ACS). Leave authentication & authorization port field default. Apply. Now go down & select the ACS server IP from MAC authentication option.
21. Clink on "Global Properties". Select "Unformatted" from "RADIUS calling/called station id format.
22. Go to "Local Radius Server". Click on "General Setup" click on :MAC" & apply.
23. Now go to "Services" & select "VLAN"
24. Crete the vlan 900 that we created for mac based authentication purpose.
25. Now go to "SSID MANAGER". Click on new & write the desired SSID name. From VLAn field drill down to select the "VLAN 900"
26. Under "Client Authentication Setting" select "With MAC authentication" from open authentication field. Under mac authentication server select the ACS IP from drill down option.
27. Make sure the switch port that is connected with AP is in trunk mode. do the following
" switchport trunk en dot1q"
" switchport truen native vlan 901"--AP ip will be from any ip of the native vlan that is created in core/distribution.
"switchport mode trunk "
27. Make sure from the end switch with whom the AP is connected, the native & MAC vlan ip is pinging.
U r done!!!!
Plz rate if possible!!!!
02-15-2008 01:46 PM
I am working on a similiar setup but cannot get this to work as you stated. Within my ACS failed authentication log I get ACS password invalid when attempting to authenticate via MAC. I do have the mac entered as the user and the password the same as the user. Any ideas?
02-20-2008 06:13 PM
I'm doing this now for approx 300 mac addys in my MAB table. However i'm not using the username functions. The Network access profile has worked since day one. There were some caveats from the switch side, using voip phones, and a variety of weird issues w/ cisco ATA's and AP's not working w/ dot1x and cdp. Also saw HP printers throwing out some strange mac addresses which caused failures via dot1x's built in single host features. What we ended up doing was to return to the old method of guest access w/ the command "dot1x guest-vlan supplicant" this seemed to help along with the newer code versions. As far as the Network access profile, its quite simple create one. under the authentication tab place your mac address in, be careful here we had a few issues with following specific naming conventions,, we stuck with upper case 00:00:AA:BB:CC:00 type format. And make sure you assign the NAP to drop authenticated macs into the proper NDG. Update if your still having issues. Pretty happy with the overall setup 2000+ eap clients and 300+ MAB over 40+ 4500's.
02-21-2008 11:16 AM
Right:
It can be made to work either way. MAC-Auth-Bypass as described in switch documentation explains the use of using MAC as username/password. This should work much the same way WLAN APs have been doing this for years, and as discussed in this thread.
Alternatively, you could configure a NAP to have ACS not authenticate the request at all, but choose to authorize the session solely based on the Calling-Station-ID (RADIUS Attribute [31]) which is also the MAC Address of the end station. This would be a form of MAC filtering that would technically be possible via any RADIUS transaction if it was configured to do so.
Hope this helps,
02-21-2008 11:33 AM
Does the MAC-Auth-Bypass described in the switch documentation apply when working with an AP? We currently use mac-address checking within the AP but I'm wanting to move that to and ACS server so it is easier to manange when I add additional laptops for access as well as when we add additional APs.
Thanks for the information on MAC-Auth-Bypass.
02-21-2008 02:22 PM
Yes, it's effectively the same. Consult the product documentation for this on APs and the mechanism is the same, but for example on an AP you could fail a MAC-Authentication and still get online with 802.1X, whereas on a single switchport, MAC-auth only attempts after 802.1X times out on the port.
02-22-2008 05:45 AM
Just a caution, had some issues w/ the A.P's and MAC bypass. CDP running on the A.P's seemed to interfere. Same thing happened w/ ATA's.
02-24-2008 03:52 AM
Hi,
I am trying configure MAC authenitication bypass, snd it is working
but i want to start the MAC authentication without the 802.1x trails
how can I do this ? Is there is any command that enable MAC authentication without the 802.1x ?
My configuration :
interface GigabitEthernet0/48
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 2
dot1x timeout reauth-period 240
dot1x timeout tx-period 2
dot1x max-reauth-req 1
dot1x reauthentication
spanning-tree portfast
Regards
Mohamed
02-24-2008 11:09 AM
Today, MAC-Auth is only avail as a timeout to 1X in support of a supplemental auth method.
03-03-2008 02:19 AM
Thanks for your reply
The MAC authentication is working fine
What if the Raduis Server is down ?
I want to configure if the Raduis is down/don't reply , the PC get assigned to default VLAN ( VLAN 1 ) and can access the network
How can I configure this issue ?
My existing configuration :-
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
aaa session-id common
interface GigabitEthernet0/48
interface GigabitEthernet0/48
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 2
dot1x timeout tx-period 1
dot1x max-reauth-req 1
dot1x reauthentication
spanning-tree portfast
Regards
Mohamed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide