Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
915
Views
0
Helpful
5
Replies

Enabling Mac-Based Authentication in Ap1200/Acs 3.2

k.mahmood
Level 1
Level 1

‎11-24-2004 05:46 AM - edited ‎07-04-2021 10:11 AM

Hi,

I am actually trying to get MAC-Authentication throught our ACS 3.2 Radius server.My first question is that As I have read any excellent conversation on Cisco forum regarding MAC-Authentication. I have set up everythig on ACS, from user set up, then added the MAC addresses without dotts, like {00095ba3230c}.

in all the required field.

1. Do I need to seup the MAC address list in the AP1200 which is running IOS 12.3(2)JA. In instructions, it says that once you put the mac in the ACS, it will pass to AP1200 automatically, when client device assoiciate to AP. But is does not happenend here, If I setup MAC-filter list, then it work fine, If I don't then client does not get the ip address form DHCP server.

encryption is open with mac and EAP,

I will be happy if some one could help me.

Here is the config from AP1200 below:

aaa new-model

aaa group server radius rad_eap

server 193.x.x.165 auth-port 1645 acct-port 1646

aaa group server radius rad_mac

server 193.x.x.165 auth-port 1645 acct-port 1646

aaa group server radius rad_acct

aaa group server radius rad_admin

aaa group server tacacs+ tac_admin

aaa group server radius rad_pmip

aaa group server radius dummy

aaa group server radius rad_eap2

server 193.x.x.165 auth-port 1645 acct-port 1646

aaa group server radius rad_eap1

server 193.x.x.165 auth-port 1645 acct-port 1646

aaa group server radius rad_mac2

server 193.x.x.165 auth-port 1645 acct-port 1646

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods group rad_mac

aaa authentication login eap_methods2 group rad_eap2

aaa authentication login eap_methods1 group rad_eap1

aaa authentication login mac_methods2 group rad_mac2

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

dot11 association mac-list 701

dot11 activity-timeout unknown default 300

dot11 aaa csid unformatted

dot11 network-map

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 1 key 1 size 128bit 7 xxxxx transmit-key

encryption vlan 1 mode ciphers wep128

!

encryption vlan 161 key 2 size 128bit 7 xxxx transmit-key

encryption vlan 161 mode ciphers tkip wep128

!

encryption vlan 168 key 2 size 128bit 7 xxx transmit-key

encryption vlan 168 mode ciphers tkip wep128

!

broadcast-key vlan 1 change 300

!

broadcast-key vlan 161 change 300

!

broadcast-key vlan 168 change 300

!

!

ssid trusted

vlan 161

authentication open eap eap_methods1

!

ssid untrusted

vlan 168

authentication open mac-address mac_methods2 eap eap_methods2

!

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

rts threshold 2312

power local 50

station-role root fallback shutdown

l2-filter bridge-group-acl

!

ip radius source-interface BVI1

no logging trap

logging snmp-trap emergencies

logging snmp-trap alerts

logging snmp-trap critical

logging snmp-trap errors

logging snmp-trap warnings

access-list 701 permit 000c.41af.9511 0000.0000.0000

access-list 701 permit 0009.5ba3.230c 0000.0000.0000

access-list 701 deny 0000.0000.0000 ffff.ffff.ffff

I alos do not see any good notes on How to set up, MAC_Authentication through ACS 3.2.

regards

Khaleefa

Labels:
0 Helpful
5 Replies 5

dixho
Level 6
Level 6

‎11-26-2004 02:18 PM

"Do I need to seup the MAC address list in the AP1200 which is running IOS 12.3(2)JA?"

No.

How do you setup the user profile in ACS? You need to set up a user with user name and the password as the MAC address in the format of xxxxxxxxxxxx.

If you have done that, is there any entry in the successful authentications and failed attemps?

0 Helpful

k.mahmood
Level 1
Level 1
In response to dixho

‎11-29-2004 07:19 AM

Hi,

Many thanks for oyur reply.

I have done as you have just said that take off the mac filter list from AP1200. I can see the cilent pass the mac authentication in the ACS logs.

Its working fine.

regards

Khaleefa

0 Helpful

mvaillancourt
Level 1
Level 1
In response to dixho

‎12-08-2004 10:52 AM

"You need to set up a user with user name and the password as the MAC address in the format of xxxxxxxxxxxx."

Will this work with Cisco ACS version 3.0? I tried entering the client MAC address into the ACS, but it came back with an error saying 'Can not have the username in the password'. Any idea.

0 Helpful

setonhnet
Level 1
Level 1

‎12-10-2004 09:51 AM

I think you are missing the line at the bottom of your config to define the radius server and key. You did setup a username and password under "network configuration" for the AP as a radius client. If not then, under failed attempts on the ACS you'll see "Unknown NAS" error messages. The syntax for the radius server command is as follows:

radius-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxxxx

0 Helpful

joan.porta
Level 1
Level 1
In response to setonhnet

‎06-23-2006 01:39 AM

I'm also doing MAC authentication with the same AP, but with freeradius.

Do you know how to configure the AP so that it sends as

User-name the MAC with dashes ex: e4356-a125-a2345-3556?

Thank you

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card