cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4355
Views
9
Helpful
16
Replies

MAC based Authentication on ACS

angel-moon
Level 3
Level 3

Hello everyone,

I am trying to get ACS to do MAC based authentication where upon client connection the switch forward the MAC address of the client to ACS to either authorize or unauthorize the port. I need to do this in an agentless fashion as most of the devices are not Windows based. Problems

1) Where to put the MAC addrtss in ACS. I am getting told 2 different things. One way is the create a user with the MAC address as the username AND password, have ACS reference the internal datyabase and I should be good the second way I am being told is with Network Access Profiles. Create a profile then under Athentication", enter the MAC address under Internal ACS DB.

SO far both was are still making the Windows based machines prompt for a user name and password. I can't have that. It has to be transparent to the end user. Can any point me in the right direction?

Thanks in advance! All replies rated.

16 Replies 16

First recommendation is to provide HA/resiliency to RADIUS. Not sure this is something you'd need to enable by default. Try to use it as fail-safe. If you still need it, see below:

You would need to enable dot1x critical.

Add this to your port:

dot1x critical

dot1x critical vlan

Optionally, if you want to initialize the port once the switch discovers RADIUS is back, add this to the port:

dot1x critical recovery action reinitialize

Also, add a test username at the end of your RADIUS server definition (this allows the switch to actively seek the server while it's in a down state):

radius-server host 10.123.100.6 test username

Also add this for deterministic deployment:

radius-server dead-criteria time 15 tries 3

Hope this helps,

Hi,

Sorry, I'm obviously a bit late to this conversation. We are looking to deploy 802.1x across our organisation and things look good with our testing so far. However I have a large amount of non-dot1x capable devices which I would like to authenticate based on mac address and a huge amount of switches(such as 2950's) which do not support the mac-auth-bypass command. You mention authenticating by mac address using radius attribute and a NAP on the ACS server - could you give more info? or is this only possible via an AP? I thought 802.1x on a switch never forwarded the mac address if it failed to receive eapol packets(without use of mac-auth-bypass)?

Many thanks

Ross