For those who come across this (4+ years old as of this post) thread and are looking for a way to integrate 802.1x MAC Authentication Bypass (MAB) with Windows Server 20xx without implementing fine-grained password policies, I'd like to offer this alternative: Configuring MAB with LDAP User Device Binding Full disclosure: I am not the author of this white paper. I have, however, designed, configured and tested a proof-of-concept implementation using this paper as a guide. My particular lab solution utilized the following platforms/technologies: Cisco Secure Access Control Server (ACS) 5.5 Cisco Identity Services Engine (ISE) 1.3 (alternate) Microsoft Windows Server 2012 R2 Active Directory Lightweight Directory Services (AD LDS) VMWare ESXi 5.5 Cisco Catalyst 3560 switch Here's a quick summary of the steps I took to get this working: Created a new standalone LDS instance Wrote an LDAP Data Interchange Format (LDIF) file to add the (ieee802)Device class & prerequisite sub-classes & attributes (e.g. macAddress) to the LDS schema Configured the LDS LDAP directory heirarchy following the example in the white paper Manually added test devices & groups to LDS database Configured ACS (and later ISE) according to the white paper Configured the switch for 802.1x/MAB authentication Tested MAB authentication with a sample endpoint Created a Comma-Separated Values (CSV) spreadsheet with more sample devices Wrote a PERL script to parse the spreadsheet data into a new LDIF file Imported the resulting LDIF file output into the LDS database The second and ninth steps were by far the most difficult to accomplish; it took me quite a few iterations and no small amount of trial-and-error to alter the schema properly and get the script working. But in the end, I was successful. If this is useful to anyone or if there are any questions/comments, please let me know. I will try to reply as soon as humanly possible. Disclaimer: This information is offered as-is with no warranty of any kind, stated or implied. I and/or Cisco accept no responsibility or liability for data loss, monetary loss or downtime caused by following the recommendations or suggestions in this post. All products, logos, tradmarks mentioned are the property of their respective owners.
... View more
I know this is a very old thread, but for those who happen upon it, the tools other users have linked here have since been retired for the Cisco Commerce Build & Price Tool at https://apps.cisco.com/ccw/cpc/guest/home.do?flow=nextgen#!/ Under Estimates and Configurations, select Create Configuration. A new Configuration Set will be created. Expand the Service Preferences toggle button (+) and choose whether or not you want the tool to add recommended services. Click the Find Product link. In the Search textbox, type at least 3 letters of your item name/description (e.g. "nexus 7000") and click the Search button. Scroll down to find your hardware and add it to your cart by clicking the + sign next to the item. Click the Add button in the resulting box under Selected Items. On the subsequent screen, scroll down to your saved item and click the Select Options link to configure PSU's, supervisor and I/O modules, etc. The Show Incompatible SKUs link will show you when options you've selected are incompatible. HTH. The Advice, suggestions and/or instruction are offered here without warranty of any kind, stated or implied. Although tested and thought to be correct at the time of writing, the author and associated entities shall not be held liable for any inconsistencies or errors herein.
... View more