Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2051
Views
15
Helpful
9
Replies

802.1x with MAC authentication

Go to solution
ittechk4u1
Level 4
Level 4

‎07-31-2018 12:56 AM - edited ‎07-05-2021 08:54 AM

Hello experts,

I want to implement two factor authentication for specific users group. via AD + MAC authentication..

I want to create  (Auth annd AuthZ) rule in ISE to allows specific users Group (from AD) and with there mac address.

Could you please guide me to create  rules in ISE.

 

Thanks in advance

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to ittechk4u1

‎08-03-2018 01:27 AM

Hi,

Follow these steps:

1. Create a SSID with 802.1x (Dont enable MAC filtering)

2. Create identity group "XYZ" and add the mac address of clients in it.

3. Create a Authentication policy that allows MAB/PEAP and identity store must have AD and Internal host

4. Create AuthZ policy: Match Identity Group and dot1x  and return with desired permission.

I hope it will work.

 

Regards

Dont forget to rate helpful posts

View solution in original post

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to ittechk4u1

‎08-03-2018 03:51 AM

Where exactly its failing ?

is it passing Authentication ? if not then try to create a normal rule:

 

Authentication Policy:

TWO factor Auth    : If (Wirless_802.1x)..........AND.....AllowProtocols: PEAP(or default network access)

 

Authorization Policy :

TWO factor AuthZ  :If (Identity Group name) AND Wireless_802.1x    then Permit access(or desired permission)

 

Regards

Dont forget to rate helpful posts

View solution in original post

9 Replies 9

Go to solution
ittechk4u1
Level 4
Level 4

‎07-31-2018 09:56 PM

experts...any help about two factor authentication!!!!

 

 

0 Helpful

Go to solution
Haydn Andrews
VIP Alumni
VIP Alumni
In response to ittechk4u1

‎07-31-2018 10:50 PM

I haven't done this myself but there is another thread asking nearly the same thing:

 

https://community.cisco.com/t5/policy-and-access/dual-authentication-with-mac-and-radius-server/td-p/2542448

 

About Halfway down is apost by nspasov:

Which looks like it has the answer

 

Hope this helps

 

*****Help out other by using the rating system and marking answered questions as "Answered"*****

*** Please rate helpful posts ***

 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Go to solution
ittechk4u1
Level 4
Level 4
In response to Haydn Andrews

‎08-03-2018 01:20 AM

No its not working!!!!!!

0 Helpful

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to ittechk4u1

‎08-03-2018 01:27 AM

Hi,

Follow these steps:

1. Create a SSID with 802.1x (Dont enable MAC filtering)

2. Create identity group "XYZ" and add the mac address of clients in it.

3. Create a Authentication policy that allows MAB/PEAP and identity store must have AD and Internal host

4. Create AuthZ policy: Match Identity Group and dot1x  and return with desired permission.

I hope it will work.

 

Regards

Dont forget to rate helpful posts

Go to solution
ittechk4u1
Level 4
Level 4
In response to Sandeep Choudhary

‎08-03-2018 01:39 AM

Ok i will try it and let you know.

 

Thanks

0 Helpful

Go to solution
ittechk4u1
Level 4
Level 4
In response to Sandeep Choudhary

‎08-03-2018 03:04 AM

Sandeep,

Its not working...

 

 

0 Helpful

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to ittechk4u1

‎08-03-2018 03:51 AM

Where exactly its failing ?

is it passing Authentication ? if not then try to create a normal rule:

 

Authentication Policy:

TWO factor Auth    : If (Wirless_802.1x)..........AND.....AllowProtocols: PEAP(or default network access)

 

Authorization Policy :

TWO factor AuthZ  :If (Identity Group name) AND Wireless_802.1x    then Permit access(or desired permission)

 

Regards

Dont forget to rate helpful posts

Go to solution
ittechk4u1
Level 4
Level 4
In response to Sandeep Choudhary

‎08-03-2018 04:27 AM

Thank you very much. Its working now.

 

Thanks again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card