Dual Authentication with MAC and radius server

jayapraki · ‎09-25-2014

HI,

Can any one clarify whether we can do the MAC address authentication and the Radius server authentication in the Wireless network. In my network i have WLC, ACS and AD server.

Thanks & Regards,

Jayaprakash.K.V

nspasov · ‎09-26-2014

What do you mean by "Radius Server Authentication" ?

jayapraki · ‎09-26-2014

I mean the AD authentication.

nspasov · ‎09-28-2014

Ah ok :) So yes, you should be able to perform your user or machine based authentication against AD and also check the MAC address against the database of your Radius server. I have personally done this with both ISE and ACS. In the WLC you will set your regular 802.1x settings and also check "mac filtering." Then you have to make sure that your Radius servers are configured on the WLC and set to be used by that SSD, otherwise the mac filtering mechanism will use the WCL's local database.

Hope this helps!

Thank you for rating helpful posts!

jayapraki · ‎09-28-2014

Thank you Neno Spasov.

Will this work without ISE. Can you please share any relevent document.

Thanks in advance.

nspasov · ‎09-28-2014

What do you plan to use for Radius server?

jayapraki · ‎09-28-2014

I am using ACS 4.3 and planning to upgrade to 5.3 now.

nspasov · ‎09-29-2014

I haven't done it with ACS but it should be similar to ISE:

1. You configure your WLAN settings with the appropriate 802.1x settings. However, in addition, under >Security > Layer 2 > You need to check "Mac Filtering." Then under the AAA servers tab, make sure that your ISE server(s) is listed under both authentication and accounting

2. In ACS, you will need to:

2.1. Create an Identity Store Sequence that includes both AD and Internal Endpoints/hosts

2.2. Create all of the hosts/static MACs under Users and Identity Stores > Internal Identity Stores > Hosts

2.3. Create an Authentication policy that allows MAB (PAP/ASCII > Detec PAP as Host Lookup) and the protocol that you are using for AD authentication (Usually PEAP or EAP-MD5). The policy should be using the previously created Identity Store Sequence that includes both AD and Internal Hosts

2.3. Create an Authorization policy that checks for both the membership of an AD group (For instance, domain computers or domain users) AND for device membership in "Local Hosts"

2.4. Return an "Authorization Profile" with desired permissions

Hope this helps!

Thank you for rating helpful posts!

jayapraki · ‎09-29-2014

Thank a lot Neno. I will try and update the same.

nspasov · ‎09-30-2014

No problem. Btw, a couple of corrections:

1. The identity store sequence does NOT need to include "internal hosts" I just tested this (ISE only again) and AD only is OK. I believe you need this if you are going to do regular MAB

2. The SSID does not need to have "Mac Filtering" checked. Again, I just tested this in my lab with ISE and can confirm that it is not needed.

Everything else should be OK :) I would test this with ACS but my lab is not integrated with it yet and I don't currently have time to do it. Maybe later in the week if time allows. Anyways, give it a try and see how far you can get. The nice thing about ACS 5 vs 4 is that you get a lot more log info so troubleshooting is much easier.

Thank you for rating helpful posts!

ittechk4u1 · ‎08-01-2018

Hi nspasov,
Could you please help me to et tup 802.1x with MAC filtering

1. I configured a SSID with 802.1x

2. Configured ISE rules

Authentication for : MAB

Autz: wireless dot1x and PEAP and Identity Group EQUALS TEST

Test is where my mac address is stored.

but still it not working...

Thanks

Venkatesh Attuluri · ‎09-29-2014

Tips to make Machine Authentication Work - PEAP Authentication

https://supportforums.cisco.com/document/87611/tips-make-machine-authentication-work-peap-authentication