Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
830
Views
15
Helpful
5
Replies

Using ACS to authenticate MAC address that appear on switches

angel-moon
Level 3
Level 3

‎06-12-2007 12:26 PM - edited ‎03-10-2019 03:12 PM

Hello,

Does anyone know of a way to have Cisco switches use the MAC address of devices that connect to them as a username/password combination for authentication via ACS? I want to set up the switches to query ACS as to whether or not to allow devices to pass traffic based on the database of the MAC addresses.

I know I can do this with wireless devices but in this case I can't use any client software or configuration. The switch just needs to see the packet, read the MAC address and query ACS as to allow the traffic to pass or not. Possible?

Thanks in advance. All replies rated!

Labels:
0 Helpful
5 Replies 5

Jagdeep Gambhir
Level 10
Level 10

‎06-12-2007 12:42 PM

Angel,

This is not possible, you can't send the MAC address to radius server via a switch like you can on an AP.

The only way for a MAC to be authenticated by radius server is for the MAC to appear in

the username and password fields of the RADIUS packet and the switches do not have the ability to do this.

However we can configure dot1x on the switch

and do machine or user authentication for which we need user database.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/Sw8021x.html

Another alternative can be port security , but database will not be centralised here,

http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/8.1/configuration/guide/sec_port.html

Hope that helps !

Regards,

Jagdeep

angel-moon
Level 3
Level 3
In response to Jagdeep Gambhir

‎06-12-2007 01:38 PM

Hello Jagdeep,

that got me staryted in the right direction but I need some clarification. It seems that I can restrict access based on MAC addres of the client if I run dot1x on the switch. I can do machine athentication. A couple of questions.

1) Can the authentication be transprent to the end user or device? These needs to be based purley on the packet

2) Can the database be centralized and if so what format does the database have to be in?

Thanks a ton!

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to angel-moon

‎06-13-2007 12:32 PM

What do you mean by "authentication transparent to end user " ?

Add Info:

In dot1x world, any host that is not onfigured to accept dot1x EAP packets, i.e not a

supplicant, will get placed in the guest vlan. However there is way for dot1x authentication to authenticate via mac-addresses, and any failed user should just be set as unauthorized.

This is a feature called VMPS that will allow mac-address authentication , however, you

need to be cautions to deploy both dot1x and vmps on the same interface.

Here is VAMPS config guide:

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sec/3750scg

/swvlan.htm#wp1212223

VMPS is a way how to keep MAC to VLAN associations inside switch config. Such information can be stored in centralized way on one switch acting as VMPS while other switches will be clients to that server.

But in this case RADIUS server is not involved at all.

Regards,

Jagdeep

0 Helpful

scadora
Cisco Employee
Cisco Employee
In response to angel-moon

‎06-14-2007 07:31 AM

If you are doing 802.1X with mac authentication bypass, the switch will send a Radius Access-Request with the username attribute == the host's MAC address in the format hhhhhhhhhhh (all lower case, no white space). The password is the same as the username but encrypted via PAP (or MD5). This is just the same as any PAP user authentication. So the database can be centralized the same way you would for PAP authentication. In ACS, that could be the internal user database or any supported external database (LDAP etc).

The whole process is transparent to the end host. Once 802.1X times out on the port (default 90 seconds but you can adjust it), the switch will learn the MAC of the host from the next packet the host sends. Then the switch will do MAC auth as described above.

Hope that helps,

Shelly

wmblake755
Level 1
Level 1
In response to scadora

‎06-14-2007 09:09 AM

We do this, you can use L2 NAC EOU with Mac auth bypass. Check it out.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents