cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4273
Views
9
Helpful
16
Replies

MAC based Authentication on ACS

angel-moon
Level 3
Level 3

Hello everyone,

I am trying to get ACS to do MAC based authentication where upon client connection the switch forward the MAC address of the client to ACS to either authorize or unauthorize the port. I need to do this in an agentless fashion as most of the devices are not Windows based. Problems

1) Where to put the MAC addrtss in ACS. I am getting told 2 different things. One way is the create a user with the MAC address as the username AND password, have ACS reference the internal datyabase and I should be good the second way I am being told is with Network Access Profiles. Create a profile then under Athentication", enter the MAC address under Internal ACS DB.

SO far both was are still making the Windows based machines prompt for a user name and password. I can't have that. It has to be transparent to the end user. Can any point me in the right direction?

Thanks in advance! All replies rated.

16 Replies 16

Jagdeep Gambhir
Level 10
Level 10

You can go through MAC Auth bypass feature from following link:

12.2(37)SE - "Using IEEE 802.1x Authentication with MAC Authentication Bypass"

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12237se/scg/sw8021x.htm#wp1205506

Configuring MAC Auth bypass on 12.2(37)SE:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12237se/scg/sw8021x.htm#wp1196845

----------Commands Required on Switch--------------

aaa new-model

aaa authentication dot1x default group radius

dot1x system-auth-control

radius-server host

radius-server key

config t

interface

switchport access vlan

dot1x port-control auto

dot1x mac-auth-bypass

dot1x timeout quiet-period 15

dot1x timeout tx-period 3

dot1x reauthentication

Create a AAA Client entry for the switch in ACS from Network configuration section.

And use the Authentication Protocol as RADIUS (Cisco IOS....)

And on ACS create an account for the client as,

Username : 0015c53ae40d

Password : 0015c53ae40d

If the MAC address of the client is 00-15-C5-3A-E4-0D

Regards,

~JG