08-06-2003 11:15 AM - edited 07-04-2021 08:55 AM
The config file below is guaranteed to work.
I have an ACS 3.0 server doing the MAC Authentication. So you have to take the MAC address that you want to allow, throw the MAC in the user name and password fields in the ACS and just load the AP with config below and CHANGE the IP to yours or it will not work.
Please leave your comments, if this becomes popular I will start publishing different configs such as LEAP+MAC, LOCAL SERVER, WDS, HOT STANDBY, etc...
By the way at the time of this message my AP1230 had 12.2(11) JA and my 350 Client had 5.20.17 So take the time to update the firmware.
God bless America and Good luck!
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GOM_1200IOS
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.1.2.197 auth-port 1812 acct-port 1812
!
aaa group server radius rad_mac
server 10.1.2.197 auth-port 1812 acct-port 1812
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius wlccp_rad_infra
!
aaa group server radius wlccp_rad_eap
!
aaa group server radius wlccp_rad_leap
!
aaa group server radius wlccp_rad_mac
!
aaa group server radius wlccp_rad_any
!
aaa group server radius wlccp_rad_acct
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authentication login wlccp_infra group wlccp_rad_infra
aaa authentication login wlccp_eap_client group wlccp_rad_eap
aaa authentication login wlccp_leap_client group wlccp_rad_leap
aaa authentication login wlccp_mac_client group wlccp_rad_mac
aaa authentication login wlccp_any_client group wlccp_rad_any
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting network wlccp_acct_client start-stop group wlccp_rad_acct
aaa session-id common
enable secret 5xxxxx
!
username xxxx password xxxxx
ip subnet-zero
!
iapp standby timeout 5
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption key 1 size 40bit xxxxx transmit-key
!
ssid GOM_1230
authentication open mac-address mac_methods
!
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
channel 2462
station-role root
no cdp enable
dot1x reauth-period server
dot1x client-timeout 600
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no cdp enable
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address xxx.xxx.220.45 255.255.255.0
no ip route-cache
!
ip default-gateway 10.250.220.254
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1
no cdp run
snmp-server community GOM_AP1230 RO
snmp-server enable traps tty
radius-server local
group AP1230
!
user xxxxx nthash 7 xxxxx group AP1230
!
radius-server host 10.1.2.197 auth-port 1812 acct-port 1812 key 7 01342929
radius-server retransmit 3
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
!
!
line con 0
line vty 5 15
!
end
08-08-2003 11:00 AM
Where in the world did you find out that the MAC was also the password? I've been beating my head against the wall for 2 days trying to get that to work with Microsoft IAS........Thanks!
08-13-2004 05:18 AM
You can refer to this document. (CISCO AIRONET 1200 SERIES - Security Setup) Look at the "Setting Up MAC-Based Authentication" section.
The screen shots are from the old VxWorks interface but the ACS setup applies.
Bobby C.
08-15-2004 09:42 PM
Yes I also went thru the same process recently with Cisco ACS and the AP configuration.
You cannot find detailed documentation on any of the AP1100 or AP1200 configuration.. You must look at the AP350 configuration notes, and here it is all spelled out (for configuration of the ACS).. Should be similar for other "Radius" servers. Use the MAC Address as PW and UserID... (For ACS you have to turn off one of the security settings as it typically disallows this.)
Pls also refer to the following for the AP1200 AAA/Radius MAC authentication with Radius server..
aaa group server radius SG_rad_mac
server aa.bb.cc.dd auth-port 1645 acct-port 1646
aaa authentication login sg_mac_methods group SG_rad_mac
int dot11radio0
ssid ABC
vlan xxx
authentication open mac-address sg_mac_methods alternate eap sg_eap_methods
authentication network-eap sg_eap_methods
May the Force be with you.
Regards
Ken Jones
08-18-2004 03:40 PM
Also note that I found a small tidbit of information
burried in Cisco doc's that says when you enter a MAC Address in ACS or any user database, to enter the letters of the MAC as lowercase.
Dont know why, just seemes to works best this way
08-31-2004 12:01 AM
Is there a special syntax for writing the MAC Address ?
should I put in dots or dashes ? e.g. aa-aa-aa-aa-aa-aa or aaaa.aaaa.aaaa
08-31-2004 04:50 AM
dots should work!
09-14-2004 04:58 AM
I though the proper way to to do MAC authentication was to use ACL's with ACS? I haven't done alot of research, but am going to have to do this as soon as I get my ACS from the vendor. If you use a username and password of the mac address, what keeps someone from spoofing the username and password?
Thanks
09-14-2004 10:06 AM
Hello there,
Under ACS, you still need to create a user with password as you normally do and then create another user using the MAC address for name and pswd.
The Client has to authenticate with user name, pswd and MAC.
If they spoof the MAC the still need to know user name and pswd.
Regards,
Gil
09-14-2004 10:28 AM
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide