802.1x mac based authentication

Similar Messages

• MAC-Based Authentication

  I am sorry if this has been asked before or it is the wrong place to ask this.
  I just want to know how secure is MAC-Based Authentication on an AP340 access-point (not bridge) with version 11.07.
  I've done this by adding 'Dest MAC Address' in 'Address Filters' under 'Association' in 'Setup'.
  Also selected 'Disallowed' for 'Default Unicast Address Filter' for all the relevant authentication types in 'Advanced' for 'AP Radio' of the 'Network Ports' in 'Setup'.
  Thanks for any suggestions.

  If an attacker has a network analizer, they can see the MAC address in use (even if WEP is being used as the MAC must not be encrypted)
  Some 802.11 NICs allow the user to configure a MAC address into the NIC.
  So the attacker *could*:
  1. observe a valid NIC in use
  2. program that MAC into their NIC
  3. Wait till the valid user has gone home
  4. Use the NIC they have programmed to access your network from the safty of the parking lot.
  LEAP or VPNs provide a much more secure solution

• 802.1x Machine Based Authentication - Password expired

  Hi,
  I would like to ask 1 question about machine based authentication on 802.1x.
  1.We are deploying 802.1x on wired user.
  2.Some user are using machine based authentication in order to authenticate their port.
  3.However, after the user password expired, the user need to change their password and then the machine are unable to authenticate. The error i got is "External DB user invalid or bad password". Then switch assign the user to Guest Vlan
  4.But, once i plug out the cable and plug in back the UTP cable after the user login, the switch will assigned the user to proper VLAN.
  5.User wont be able to access their share drive n etc since the guest vlan only have access to the internet.
  5.Anyone have any idea what is happening? It seems that the machine is sending the old password during authentication process to the ACS.
  Anybody can shed a light to me. Thanks.

  This should certainly work with that rev. On your passed (or failed) auth log, you should see the username of the session authenticating. If you see the FQDN of the machine, this is a machine auth. Also, machine-auth typically executes before the GINA is displayed to the user. It sounds like machine-auth is failing and we need to determine why. Has this machine been away from the domain for long?
  This also might help:
  http://supportwiki.cisco.com/ViewWiki/index.php/802.1x_authentication_with_Cisco_Secure_Access_Control_Server_fails_to_work_for_Microsoft_Windows_XP_PC

• 802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation

  I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
  Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
  Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
  Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
  If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
  The ports GI1/0./1 & Gi1/02 are configured thus:
  interface GigabitEthernet1/0/1
  switchport mode access
  switchport voice vlan 20
  authentication event fail action authorize vlan 4
  authentication event no-response action authorize vlan 4
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  mls qos trust cos
  dot1x pae authenticator
  spanning-tree portfast
  sh ver
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
  Full config attached. Assistance will be grately appreciated.
  Donfrico

  I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
  However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
  Are there special attributes that need to be configured on the switch or IAS?

• 802.1X Port Based Authentication Security Violation

  I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
  Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
  Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
  Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
  If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
  The ports GI1/0./1 & Gi1/02 are configured thus:
  interface GigabitEthernet1/0/1
  switchport mode access
  switchport voice vlan 20
  authentication event fail action authorize vlan 4
  authentication event no-response action authorize vlan 4
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  mls qos trust cos
  dot1x pae authenticator
  spanning-tree portfast
  sh ver
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
  Full config attached. Assistance will be grately appreciated.
  Donfrico

  I believe , you need to configure re-authentication on this switch port:
  ! Enable re-authentication
  authentication periodic
  ! Enable re-authentication via RADIUS Session-Timeout
  authentication timer reauthenticate server

• Help with 4506 802.1x Port Based Authentication (Wired)

  Hi all,
  I'm trying to configure wired 802.1x security on a Catalyst 4506 IOS 12.1.19(EW), using Microsoft IAS (Microsoft's RADIUS), and Windows 2000 SP4 clients.
  I've followed the procedures in the 4506 Software configuration guide and they seem to be straight forward.
  I then turn 802.1x Debugging on the switch to monitor the 802.1x traffic, but there is none. If I bring the configured interface down and then back up, I do get some status change, but it seems like the switch is not sending or receiving EAPOL frames.
  I then execute the dot1x "initialize" and also tried the "re-authenticate" commands, but I get an error saying that FastEthernet 2/2 is not a valid dot1x interface. The line card model number is WS-X4148-RJ21. Is the card not 802.1x compatible?
  The switch does not throw any errors when I configure FastEthernet 2/2 as a 802.1x port by executing
  dot1x port-control auto
  i've also configured the interface to be a plain L2 access port by executing
  switchport mode access
  any help will be appreciated!

  I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
  However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
  Are there special attributes that need to be configured on the switch or IAS?

• IEEE 802.1x Port based Authentication with Restricted VLAN

  Hi all,
  I have the following configuration:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization exec default local
  dot1x system-auth-control
  radius-server host 10.10.10.10 key cisco
  interface FastEthernet0/1
  switchport mode access
  authentication event fail retry 1 action authorize vlan 2
  authentication port-control auto
  dot1x pae authenticator
  spanning-tree portfast
  But it takes quite a while for the user who is not authorized to be switch to vlan 2.
  I would like to know what is best practice when using this kind of configuration  and if it is possible to optimize on how long it takes to switch the unauthorized user to the restricted VLAN?
  Regards,
  Laurent

  Laurent,
  Based on your configuration it looks as if it will take one retry attempt before the client is placed in vlan2. Try to remove the 'retry 1' from command and see if that speeds up the time. Also take the output of the 'show authentication sessions interface '. Please post the output of the 'debug radius authentication' as that will help to see how long it is taking the radius server to respond.
  thanks,
  Tarik Admani

• 802.1x MAC authentication

  Hi,
  I've been searching for the right solution for my problem on an on for the last week on this forum and other sites. I didn't get a clear answer so here I am posting it:
  Is it possible to do MAC-based authentication and VLAN assignement with 802.1x against a RADIUS server? _I know_ you will give me the VMPS solution wich I have already taken into consideration, but I will rather do it with 802.1x if it is possible for a number of reasons.
  I'm not looking to do port filtering (to allow only one MAC address defined in the switch). The switch should interogate the RADIUS server if the MAC has access and what VLAN should be placed on; all that by means of 802.1x. Can it be done?
  Thanx.
  Gabi.

  Yes, the switch will merely pass the 802.1x from the client to the Radius, the bulk of the configuration is done on the server. At the switch it's called "Using 802.1X with VLAN Assignment". Here is a link on a cat4000 on how to configure 802.1X with VLAN assignment:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_25a/conf/dot1x.htm#wp1142124
  But you can find configuration guid on other platforms through UniverCD:
  http://www.cisco.com/univercd/home/home.htm
  And here is a link on Using a RADIUS Server to Assign Users to VLANs:
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1200/accsspts/b1237ja/i1237sc/s37vlan.htm#wp1038739

• IEEE 802.1x port-based authetication

  I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone.
  I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.

  Hi Claudia,
  do you mean that the EAP-TLS authentication fails only on some 2960 switches and it works on other 2960s?
  What is the IOS version you're using there?
  What is the RADIUS server in use?
  What is the exact error message you see on the RADIUS side?
  Usually, the reason for the EAP-TLS handshake failure is to be troubleshoot on the supplicant and AAA server, however, there may be something on the switch depending on the certificate size and MTU settings on the switch(es).
  What is the server cert size and the MTU configured on the switches?
  With the info you provided it's difficult to say what's the reason of this failure.
  I would suggest to start looking into the above mentioned topics, else you would need to proceed with deeper debugging and sniffer traces, which may be better/easier to handle through a TAC case.
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• 802.1x Mac-Adress Based Authentication

  I am wondering if we are going to see or now have the ability to authenticate hosts on the lan with something other than a Username / Password? I am mostly concerned with ports on my network that the end device is a non 802.1x compliant device. Anyone have any insight as to what others are doing? Currently i am running ACS 3.3.2 and I am very succesful in deploying 802.1x to ports on my LAN, however we run a mix of unix based devices which are vendor supported and printers are another source of concern.

  We had pretty good luck using a Cold Fusion front end that forces users to authenticate with their AD credentials. It pulls the MAC address and host name and user/machine details and puts them in an ODBC database.
  We modified the sample stub routine to have the CSDB stub routine add the MAC to the local database in the PAP field.
  Kind of a nice compromise of identity and machine based authentication without the complexities of PEAP/EAP-FAST etc.

• How to configure a Cisco 3560 with MAC-based 802.1x authentication by radius server

  Hi dearI 
  How can I configure a Cisco 3560 to authenticate a client based on its mac address with 802.1x and radius server. Many tanks in advance!

  Olivier,
  You can't reference WLP visitor roles in weblogic.xml, but you can
  reference global roles (created using the WLS console):
  - <security-role-assignment>
  <role-name>PortalSystemAdministrator</role-name>
  <externally-defined />
  </security-role-assignment>
  -Phil
  "Olivier" <[email protected]> wrote in message
  news:[email protected]..
  >
  We need to have login page to our portal app.
  When using "form based" authentication is it possible to map the securityon a
  "entitlement role" ?
  Our need is to be abled to give direct url acces to some pages of theportal (for
  exemple by sending urls like"http://server/appcontextpath/appmanager/myportal/mydesktop?_nfpb=true&_page
  Label=mypage")"
  by email to portal users) and need a simple mecanism of authenticationbefore
  redirecting to the portal page.
  Inste

• 802.1x computer-based network authentication (machine certificate)

  Hello,
  I am using my MBP for work and want to connected to my work's network.
  We are using 802.1x network authentication, based on a computer certificate. I joined my computer to our Microsoft Active Directory and created a computer certificate, which I imported successfully to "System" store.
  Only "Error description" is, that my MBP tries to authenticate as "User".
  How do I configure my network settings, to use "computer-based authentication" and use the computer certificate?
  Regards,
  Ben

  Thanks, but in my case there is no administrator who send me that configuration profile. I have to create a configuration profile for myself.
  I could create a configuration profile for my client and basically it uses a computer certificate to authenticate with the network. But finally the process is cancelled by the client. I tried the steps at OS X Server: How To Configure RADIUS Server Trust in Configuration Profiles when using TLS, TTLS, or PEAP - Apple Suppor… but finally the authentication was cancelled by client, with error ".. server certificate not trusted"
  How should the computer certificate look like?
  Is there a manual for the CA template?
  Regards,
  Ben

• FlexConnect Access Point - Wired 802.1X or MAB Authentication

  Hi all,
  We are piloting wired 802.1X but have hit a snag - FlexConnect AP switchport configuration requires the port be configured as trunk, with the native VLAN for management and access VLAN(s) for client data.
  I know 802.1X cannot be configured on trunk port, but how can we configure MAB on trunk ports such as these?
  Otherwise, is there another way we can authenticate these FlexConnect APs on a switch using ISE?
  Thanks in advance.
  Regards,
  Stephen.

  Hi Stephen. You are correct, 802.1x should not be configured on a trunk port. Moreover, you would run into an issue with clients if you are running local switching mode. Here is the flow:
  1. AP, authenticates via MAB and profiling
  2. Client authenticates via PEAP/EAP-TLS, etc
  3. Now the client's traffic is locally switched, thus, the client mac address is showing on the same port where the AP is connected. The NAD (Switch) sees this new mac address and it is expecting it to perform 802.1x or MAB based authentication. The supplicant, however, does not know that and as far it is concerned it was already authenticated.
  So I have ran into this issue in my deployments and you have the following options (listed in preference order):
  1. Eliminate FlexConnect :)
  2. Utilize AutoSmartPorts where:
  - If an AP is connected, then 802.1x configuration is removed, port-security is enabled and locked to a single MAC address and trunk configuration is enabled
  - If the AP is removed, then port is configured as standard access port, port-security is removed and 802.1x is configured
  More info on auto smart ports:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/auto_smartports/15-0_1_se/configuration/guide/asp_cg.html
  3. You can configure the port in a "multi-host" mode where after the first device is authenticated all subsequent devices are allowed on the network.
  Hope this helps!
  Thank you for rating helpful posts!

• 802.1X + MAC

  Hi all,
  Is there any resources that I could refer on if I want to do 802.1x & MAC
  authentication for a particular user via Cisco Secure ACS 4.2? Our
  management would like to have double authentication on the LAN whenever our
  staff wants to connect to network, they will need to authenticate first via
  802.1x and follows by MAC authentication after that. If 802.1x is ok but the
  MAC authentication is failed then, the staff will not even able to connect
  and they need to inform network administrator for help.
  Hopefully any one of you able to give me advices and guide.
  Thanks very much,
  Regards,

  Have you considered machine authentication, with machine access restrictions? If all your end clients are windows based you can leverage a group policy to force machine authentication. On your ACS setting you can enable machine access restrictions and force any client that authenticates with peap or eap-tls to fall under this condition.
  Thanks,
  Sent from Cisco Technical Support iPad App

• ActiveSync with Certificate-Based Authentication

  We are trying to setup ActiveSync with certificate-based authentication against Exchange 2010 SP2, but with no luck.
  What has been done so far:
  OWA over https works fine. A public, trusted certificate is in place.
  Setup ActiveSync against this Exchange server: works fine, using user name/password.
  Issued a user cert, signed with an internal CA, CA-cert successfully imported into al client devices.
  Created a new OWA-site with cert-based authentication (just to make sure it works), imported user certificate into a mac, visit this OWA site - cert-based authentication works fine.
  Now, with the configuration utility, created configuration profile with that user cert and an ActiveSync account, left password blank and chose the imported cert (p12) as authentication means.
  After installing that last profile the device keeps asking for a password and refuses to synchronize. Logs on the server show error 401.2, so I assume iPhone is ignoring the cert and is trying to use password-authentication instead.
  The devices tested were iPhone 3G with IOS 4 and iPad 2 with IOS 5.
  Any help will be greatly appreciated.
  Roman.

  No-one with this experience?
  We've done some network analysis (as much as was possible to decrypt) and could see, that the server sends an SSL-Alert (rejection?) to the client after the client presents the certificate.
  That explains why the client falls back to password-authentication, but it does not tell us why the server rejects the cert (that is accepted perfectly when accessed from a browser) in first place.