05-15-2007 12:18 AM - edited 03-05-2019 04:04 PM
Hi all,
I am trying to setup 802.1x port base authentication in the Cisco Cat.2950 switch. I use PEAP in a Windows XP client (authenticate by Windows AD username/password) and Cisco ACS 4.0 as the RADIUS authentication server. Everything is okay. Now, I want to further improve the security. Does anyone know can the user be authenticated by "Windows AD username/password" PLUS "MAC address authentication"? I know I can manually enter the MAC address in each switch, but it is not feasible in our environment because we have many switches and many notebooks. Thanks.
Regards,
Murphy
05-15-2007 01:46 PM
Not exactly MAC auth but you can auth the AD computer account.
It's kind of involved setup so I won't go through it all. Hopefully it will put you in the right direction.
Need Certificate (you can use a self-signed one but you need to tell each client not the verify the cert. Network interface authentication tab)
Setup ACS to use external DB (AD)
Setup group mappings
Using radius atts you can assign vlans
This is the most relevant doc I could find on how to set it up. It is for wireless but you can do the same for wired.
Thanks,
Chad
Please rate if helpful!
05-15-2007 05:20 PM
Hi Chad,
Thank you of your information. FYI, I already setup the ACS, the wired notebook can be authenticated by AD account through 802.1x. My question is: I need to control users must use the Corporate notebooks to connect the switches (Corporate network). If I only use AD account for authenticate, users can use their home notebook to connect the Corporate LAN using his/her AD account. So, I want to check the MAC address of the notebook also, just like the Wireless LAN. Do you or anyone have any idea about it? Thanks.
Regards,
Murphy
05-16-2007 05:04 AM
You missed the part about machine authentication.
In the Windows User database configuration in ACS (External User Databases) you will find a section for machine authentication which may not show up unless you have a cert setup on ACS.
With this section you can configure if machine auth fails it will put the machine on a specific group. This group can be configured to deny the connection.
Use you can use certs for your clients but you'll need a CA infrastructure. Most secure. But you can just use PEAP instead of smartcard or certificate.
Go through the doc I sent as it goes through the basic setup for machine authentication.
Thanks,
Chad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide