cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1101
Views
0
Helpful
3
Replies

PEAP with MAC

gustavo.pena
Level 1
Level 1

Hi,

I'd like to know if there is a way to authenticate using a username with PEAP and in addition restrict the access with the station MAC address. Im using 1230 APs with Cisco Secure ACS authenticating with the Ms AD.

Thanks in advanced

3 Replies 3

Vinay Saini
Cisco Employee
Cisco Employee

Hii ,

DO you have the unified solution with controllers.

If yes , its very simple - just create a ssid with WPA/WPA2 , on the security page you will find the MAC filter checkbox , just click that.

When both 802.1x and MAC filtering are enabled , first check if for MAC , if the MAC is added to the list , it will go for 802.1x auth cis radius.

Thanks

Vinay

Thanks Vinay

No, I dont have the unified solution, I have standalone APs (1230) and I'm using PEAP with ACS.

Is there a way to do the same on the standalone APs?

Yes , very well possible on autonomous. Just select "Open auth with MAC and EAP" from the ssid page.

for cli here is the sample config (WPA2+Local MAC)

Building configuration...

Current configuration : 2517 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$SJ3D$ztXO0VxAG0aOnjCZqVDov.

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap1

server 9.42.24.53 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods1 group rad_eap1

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

!

dot11 syslog

!

dot11 ssid vinay-test

authentication open mac-address mac_methods eap eap_methods1

authentication network-eap eap_methods1 mac-address mac_methods

authentication key-management wpa version 2

!

!

!

username Cisco password 7 123A0C041104

username 001d7e032db3 password 7 1159495413450E5C57782F267B

username 001d7e032db3 autocommand exit

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

!

encryption mode ciphers aes-ccm

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid vinay-test

!

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address dhcp client-id FastEthernet0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server host 9.42.24.53 auth-port 1645 acct-port 1646 key 7 01000307490E12

radius-server vsa send accounting

bridge 1 route ip

!

Review Cisco Networking for a $25 gift card