cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
928
Views
15
Helpful
9
Replies
ittechk4u1
Enthusiast

802.1x with MAC authentication

Hello experts,

I want to implement two factor authentication for specific users group. via AD + MAC authentication..

I want to create  (Auth annd AuthZ) rule in ISE to allows specific users Group (from AD) and with there mac address.

Could you please guide me to create  rules in ISE.

 

Thanks in advance

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

Hi,

Follow these steps:

1. Create a SSID with 802.1x (Dont enable MAC filtering)

2. Create identity group "XYZ" and add the mac address of clients in it.

3. Create a Authentication policy that allows MAB/PEAP and identity store must have AD and Internal host

4. Create AuthZ policy: Match Identity Group and dot1x  and return with desired permission.

I hope it will work.

 

Regards

Dont forget to rate helpful posts

View solution in original post

Where exactly its failing ?

is it passing Authentication ? if not then try to create a normal rule:

 

Authentication Policy:

TWO factor Auth    : If (Wirless_802.1x)..........AND.....AllowProtocols: PEAP(or default network access)

 

Authorization Policy :

TWO factor AuthZ  :If (Identity Group name) AND Wireless_802.1x    then Permit access(or desired permission)

 

Regards

Dont forget to rate helpful posts

View solution in original post

9 REPLIES 9
ittechk4u1
Enthusiast

experts...any help about two factor authentication!!!!

 

 

I haven't done this myself but there is another thread asking nearly the same thing:

 

https://community.cisco.com/t5/policy-and-access/dual-authentication-with-mac-and-radius-server/td-p/2542448

 

About Halfway down is apost by nspasov:

Which looks like it has the answer

 

Hope this helps

 

*****Help out other by using the rating system and marking answered questions as "Answered"*****

*** Please rate helpful posts ***

 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

No its not working!!!!!!

Hi,

Follow these steps:

1. Create a SSID with 802.1x (Dont enable MAC filtering)

2. Create identity group "XYZ" and add the mac address of clients in it.

3. Create a Authentication policy that allows MAB/PEAP and identity store must have AD and Internal host

4. Create AuthZ policy: Match Identity Group and dot1x  and return with desired permission.

I hope it will work.

 

Regards

Dont forget to rate helpful posts

View solution in original post

Ok i will try it and let you know.

 

Thanks

Sandeep,

Its not working...

 

 

Where exactly its failing ?

is it passing Authentication ? if not then try to create a normal rule:

 

Authentication Policy:

TWO factor Auth    : If (Wirless_802.1x)..........AND.....AllowProtocols: PEAP(or default network access)

 

Authorization Policy :

TWO factor AuthZ  :If (Identity Group name) AND Wireless_802.1x    then Permit access(or desired permission)

 

Regards

Dont forget to rate helpful posts

View solution in original post

Thank you very much. Its working now.

 

Thanks again.

Create
Recognize Your Peers
Content for Community-Ad