01-25-2008 09:24 AM - edited 03-10-2019 03:37 PM
Hello everyone,
I am trying to get ACS to do MAC based authentication where upon client connection the switch forward the MAC address of the client to ACS to either authorize or unauthorize the port. I need to do this in an agentless fashion as most of the devices are not Windows based. Problems
1) Where to put the MAC addrtss in ACS. I am getting told 2 different things. One way is the create a user with the MAC address as the username AND password, have ACS reference the internal datyabase and I should be good the second way I am being told is with Network Access Profiles. Create a profile then under Athentication", enter the MAC address under Internal ACS DB.
SO far both was are still making the Windows based machines prompt for a user name and password. I can't have that. It has to be transparent to the end user. Can any point me in the right direction?
Thanks in advance! All replies rated.
03-03-2008 07:30 AM
First recommendation is to provide HA/resiliency to RADIUS. Not sure this is something you'd need to enable by default. Try to use it as fail-safe. If you still need it, see below:
You would need to enable dot1x critical.
Add this to your port:
dot1x critical
dot1x critical vlan
Optionally, if you want to initialize the port once the switch discovers RADIUS is back, add this to the port:
dot1x critical recovery action reinitialize
Also, add a test username at the end of your RADIUS server definition (this allows the switch to actively seek the server while it's in a down state):
radius-server host 10.123.100.6 test username
Also add this for deterministic deployment:
radius-server dead-criteria time 15 tries 3
Hope this helps,
01-12-2009 01:49 AM
Hi,
Sorry, I'm obviously a bit late to this conversation. We are looking to deploy 802.1x across our organisation and things look good with our testing so far. However I have a large amount of non-dot1x capable devices which I would like to authenticate based on mac address and a huge amount of switches(such as 2950's) which do not support the mac-auth-bypass command. You mention authenticating by mac address using radius attribute and a NAP on the ACS server - could you give more info? or is this only possible via an AP? I thought 802.1x on a switch never forwarded the mac address if it failed to receive eapol packets(without use of mac-auth-bypass)?
Many thanks
Ross
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide