Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2768
Views
0
Helpful
5
Replies

ACS 5.3 Authorization of user based on MAC address

Go to solution
patrick.kofler
Level 1
Level 1

‎08-24-2012 12:36 AM - edited ‎03-10-2019 07:27 PM

Hi all,

hopefully someone can help me further.

A short background. Our corporate SSID is being migrated from using PEAPv0 to EAP-TLS. This restricts access only to company notebooks. Additionally we have barcode scanners which are used to inventory assets. Those devices are not able to use EAP-TLS as they cannot be integrated in the domain and being unable to do certificate based authentication.

As a workaround we planned to use another SSID with access to the same network but using PEAPv0 as authentication method, basically the same SSID but with a different name. As this naturally allows anyone to access the corporate network with a valid username/password I now wanted to add another step into the authentication process - the MAC of the device.

I know I can do the filtering at the WLAN controller, but as it has a limited database as well as the fact that it is cumbersome to maintain the MAC list on all the controllers I thought I can do it over our ACS system.

I am now trying to accomplish the following:

The user gets authenticated via the internal user store, which is succesful. Now I want to authorize the user via the MAC address, which is stored in the internal host store of the ACS, if access is granted or not.

For this I created the following policy:

Service Selection Policy -- (Rule based result selection)

-- (NDG:Device Type in All Device Types:Wireless And RADIUS-IETF:Called-Station-ID contains <SSID>) | Result: PEAP access

-- Default | Result: DenyAccess

Service PEAP access

Identity: Internal Users -- (Single result selection)

Authorization -- (Rule based result selection)

-- Internal Hosts:HostIdentityGroup in All Groups:Valid_MACs

When I then try to access the wireless network I won't get authenticated. The error I get, when I look into the logs is:

15039 Selected Authorization Profile is DenyAccess

Is it not possible to use one identity store as "attribute database" for the other identity store?


Regards,

Patrick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7
In response to patrick.kofler

‎08-24-2012 04:33 AM

For this can use an end station filter

define at Policy Elements > Session Conditions > Network Conditions > End Station Filters

Can define a list of MAC addresses; can be imported and exported from a file

To include in authoirzation policy; customize the authorization policy to include the "End Station Filter" condition and then select the defined End Station Filter object that you have just defined

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎08-24-2012 03:40 AM

Patrick,

When performing peap authentication the acs by default will look in the internal user store. You can try to configure your identity sequcence to use internal but set the additional attribute selection for the internal hosts db.

An easier approach you can try is to create a condition in your peap rule to check the calling station id, which is the mac oui of the barcode scanner.

If the mac oui for the bar code scanner is 00-00-00, then set you conditon to begins with and then test.

Similar to your called station check for the ssid.

Thanks,

0 Helpful

Go to solution
patrick.kofler
Level 1
Level 1
In response to Tarik Admani

‎08-24-2012 04:12 AM

Hi Tarik

You can try to configure your identity sequcence to use internal but set the additional attribute selection for the internal hosts db.

I tried that already, it did not work. I got the same error.

An easier approach you can try is to create a condition in your peap rule to check the calling station id, which is the mac oui of the barcode scanner.
If the mac oui for the bar code scanner is 00-00-00, then set you conditon to begins with and then test.

I tried this approach and it even worked, but it is not scalable. I am not a fan of wildcard filters for MACs, I want to use absolute values, that's why.

We have many scanners and I did not find a way to import rules similiar to the import of MAC addresses via CSV nor does it allow for simple mistakes with logical operators. If you try to remove an operator all conditions within are deleted as well.

Also when I tried to set the calling station id filter from static to dynamic the only attribute I can use of the internal hosts dictionary is HostIdentityGroup which is not an identity group per se but actually contains them.

Is there no other way?

Regards,

Patrick

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to patrick.kofler

‎08-24-2012 04:33 AM

For this can use an end station filter

define at Policy Elements > Session Conditions > Network Conditions > End Station Filters

Can define a list of MAC addresses; can be imported and exported from a file

To include in authoirzation policy; customize the authorization policy to include the "End Station Filter" condition and then select the defined End Station Filter object that you have just defined

0 Helpful

Go to solution
patrick.kofler
Level 1
Level 1
In response to jrabinow

‎08-24-2012 04:51 AM

That did it! Thanks!

Regards,

Patrick

0 Helpful

Go to solution
patrick.kofler
Level 1
Level 1
In response to jrabinow

‎08-29-2012 02:29 AM

One more question.

Is there a similiar option for the ISE?

I can't find one.

Regards,

Patrick

0 Helpful
Customers Also Viewed These Support Documents