802.1x authentication with mac address
Hi guys,
there is a strange requirement from one of our customer,
they want us to do 802.1x with mac address authentication and they dont want the pop-ups which ask
for username, password and domain.
is it possible??
can i avoid popping up the username password with 802.1x and that too with mac address???
Any help would be greatly appreciated
Thanks
Jvalin
Hi,
The feature which you are looking for is possible in case of wired 802.1x. This feature is called as the MAC-Auth Bypass and is done mostly if the client machine is not 802.1x capable. However nowerdays it is used even if the machine is 802.1x capable.In this we enter the MAC address of the machine in the user database e.g. Active Directory. When you connect the client machine to the Switch, if we have MAC-Auth Bypass enabled on the port, it would take the MAC address of the machine as the username without any prompt for username and password.
A windows server admin can easily push a group policy which disables the 802.1x on the client machine and it would only respond to the MAC-Auth Bypass.But first you would have to make sure your switch has the Mac-Auth Bypass in the IOS.
For more information, you can go to http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
Regards,
Kush
Similar Messages
-
Domain authentication with mac address restrictions
I am in a branch office and I have one WLC 5508 and one ACS 4.2 with three WLANs:
WLAN1 with SSID1: for company computers and laptops
WLAN2 with SSID2: for ipads and tablets
WLAN3 with SSID3: for guests
I am asked to configure WLAN2 as “WLAN2: Provides the Wi-Fi connectivity to ipads and tablets, with back end security using domain authentication with mac address restrictions.You would need to create a seperate policy and be able to have a seperation between the two policies... It's kind of hard to explain, but you would have for example:
Policy 1:
Wireless user on this SSID WLAN1
AD on this AD Group (Machine)
Policy 2:
Wireless user on this SSID WLAN 2
AD on this AD Group (USer)
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"***** -
802.1x authentication with ACS 4.1 for MAC OSX
Hi,
I simply wanted to know if it's possible to have 802.1x authentication with MAC OSx on ACS Plateform 4.1?
If yes, what pre-required on ACS and MAC OSx? Methods of authentification which are recommended ?
I'm sorry, but i don't find documents which show validated test on 802.1x implementation method on ACS 4.1 with MAC OSx supplicant.
Thanks in advance
Best regards
ThanksYes, Refer to the below DOC
http://support.apple.com/kb/HT2717
Port settings and ACS configuration remain the same as you do it for windows based clients -
WLC+LAP+ACS4.0 achieving 802.1x PEAP and MAC address authentication ?
How to configure WLC + LAP + ACS4.0, achieving username and password authentication and MAC address at the same time
This might help with the PEAP:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00807917aa.shtml
MAC Authentication
Add a MAC Address to ACS
Complete these steps:
1. From the ACS main menu, click on the User Setup button.
2. In the User text box, enter the MAC address to add to the user database.
Note: The MAC address must be exactly as it is sent by the AP for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is being reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.
3. On the User Setup screen, enter the MAC address in the Secure-PAP password text box.
Note: The MAC address must be exactly as it is sent by the AP for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is being reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.
4. Check the Separate (CHAP/MS-CHAP) box.
5. Enter a password for CHAP/MS-CHAP (this password should be different from the MAC address).
6. Click Submit. -
Cisco Aiornet 1042 with MAC address
Hi,
I have a Cisco Aiornet, model AIR-AP1042N-E-K9.
I need to configure the AP to only certain MAC access.
I'm doing the configuration through the console.
The wireless network is not showing up in devices, anyone know why?
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap_disi
logging rate-limit console 9
enable secret 5 xxxxx.
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
no ip routing
no ip cef
dot11 syslog
dot11 ssid DISI-WLAN24
authentication open
dot11 ssid DISIWIFI
authentication open mac-address mac_methods
authentication key-management wpa version 2
infrastructure-ssid
dot11 guest
username Cisco password 7 xxxx
username Admin privilege 15 password 7 xxxx
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid DISI-WLAN24
ssid DISIWIFI
antenna gain 0
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
description AP SITAS
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid DISIWIFI
antenna gain 0
peakdetect
no dfs band block
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
l2-filter bridge-group-acl
no keepalive
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address 192.168.0.252 255.255.254.0
no ip route-cache
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ip default-gateway 192.168.1.254
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
access-list 700 permit 8830.8a24.7eb5 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
snmp-server view dot11view ieee802dot11 included
snmp-server community public view dot11view RO
snmp-server location DISI
snmp-server contact SITAS
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps cpu threshold
snmp-server enable traps aaa_server
snmp-server host 192.168.1.6 public
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
transport input all
sntp server 192.168.1.215
sntp broadcast client
endPlease refer: http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-4-25d-JA/Configuration/guide/cg_12_4_25d_JA/scg12-4-25d-JA-chap16-filters.html#wp1034897
-
802.1X Authentication with InTouch
Dear Community,
does anybody know if/when it's possible to use 802.1X authentication with the TelePresence InTouch 10?
It perfectly works on the C/SX codecs and as long as the Panels are connected directly to the Codec, there is no issue. But on some codecs, direct pairing is not possible and therefore I would need 802.1X authentication from the panels itself.
Thanks in advance!
Best regards
AlexHello!
We've just launched an Ask the Expert event on 802.1x
https://supportforums.cisco.com/discussion/12463991/ask-expert-8021x-configuring-and-troubleshooting-javier-henderson
Perhaps post your question with Javier as well!
Thank you! -
Palm Vx won't sync with Mac Address
I am trying to sync my Palm Vx with mac address book. Changes or entries made in the address book show up on the Palm but changes or entries made on the Palm don't show up in the address book. Everything else syncs just fine.
The conduit settings read as follows:
Voice Memo: Synchronize
Note Pad: Synchronize
Memo Pad: Synchronize
Media: Synchronize
iSync Conduit: See Conduit Settings (Enable iSync for this Palm device is checked)
Install: Install Files
Backup: Backup
I'm not sure what I need to do. Any suggestions.
Additional info:
iSync Version 2.3 (500.86)
Palm Vx
Mac OS X (10.4.8)
Address book version 4.0.4
HotSync Manager V 3.2I hope its OK to join my problem to this Post...
I have a very similar problem, where all my contacts were delete from my computer Address Book and transfered (not sync) to the iPhone.
Is there a fix...
Thanks -
Aironet 1100 authentication open mac-address problems
I have a new C1100 series that is running 12.2(4). I am trying to get mac-address authentication to use my RADIUS Server (Funk SBR). I think I am close, but I have been close for about 12 hours now.
I am using an ssid for the dot11Radio 0 inetface...
interface Dot11Radio0
no ip address
no ip route-cache
ssid INTECUSA
authentication open mac-address sbr
ssid tsunami
authentication open
guest-mode
...and I THINK I have the sbr list correctly defined.
aaa group server radius default
server 158.155.25.201 auth-port 1812 acct-port 1813
aaa authorization network sbr group radius
radius-server host 158.155.25.201 auth-port 1812 acct-port 1813
...The RADIUS server is up and responding client requests.
...and it looks as though the 1100 is trying to do the right thing, but I don't think I have the sbr method list correctly defined. I don't see any traffic actually go out over the network. Here are the debug messages...
CiscoCS1100#show debug
General OS:
AAA Authorization debugging is on
AAA Accounting debugging is on
dot11 aaa:
Mac Authentication debugging is on
Accounting debugging is on
(now I plug a card into a laptop.
06:51:07: AAA/ACCT/EVENT/(0000013D): CALL START
06:51:07: AAA/ACCT/NET(0000013D): Rec init, Session Id=126
06:51:07: dot11_aaa_mac_auth: method_list: sbr
06:51:07: dot11_aaa_mac_auth: method_index: 0xFFFFFFFF, req: 0x64EA28
06:51:07: dot11_aaa_mac_auth: client->unique_id: 0x13D
06:51:07: dot11_mac_process_reply: AAA reply for 000c.3002.1f57 FAILED
06:51:07: dot11_aaa_upd_accounting: Updating attributes for user: 000c.3002.1f57
Thanks,
BryanThanks for the reply David, but there are no packets going out on the network to the AAA server. Also I think the debug messages I included were incomplete. I just tried to access the network (no setting were changed). here is the debug output. The message...
*21:01:28: AAA/ACCT/NET(00000155): Method list not foundfailed; Cleaning the record up*
Is why I think I am messing up. Again no traffic on the Ethernet side of the 1100 going to the RADIUS server.
21:01:28: AAA/ACCT/EVENT/(00000155): CALL START
21:01:28: AAA/ACCT/NET(00000155): Rec init, Session Id=150
21:01:28: dot11_aaa_mac_auth: method_list: sbr
21:01:28: dot11_aaa_mac_auth: method_index: 0xFFFFFFFF, req: 0x7AB8DC
21:01:28: dot11_aaa_mac_auth: client->unique_id: 0x155
21:01:28: dot11_mac_process_reply: AAA reply for 000c.3002.1f57 FAILED
21:01:28: dot11_aaa_upd_accounting: Updating attributes for user: 000c.3002.1f57
21:01:28: AAA/ACCT/EVENT/(00000155): CALL STOP
21:01:28: AAA/ACCT/CALL STOP(00000155): Sending stop requests
21:01:28: AAA/ACCT(00000155): Sending stop record for NET
21:01:28: AAA/ACCT/NET(00000155): Method list not foundfailed; Cleaning the record up
21:01:28: AAA/ACCT(00000155):acctdb->rec_count = 0..sending signal
21:01:28: AAA/ACCT(00000155): Interface DB not enqueuedsuccess
21:01:29: dot11_mac_auth_process: remove 000c.3002.1f57 from mac hold list
Thanks again,
Bryan -
Controller detected its ip address by machine with MAC Address
Hi
I am getting error "Controller detected its ip address x.x.x.x using my machine with MAC address xx:xx:xx:xx:xx:xx"when i upgrade my Cisco Wireless Controller 5508 from 7.0.116.0 to 7.4.110.0. Any suggestion
RegardsHi Mohammed,
If you have more then one controller ??
Could be:
1.Error suggest that it hase detected a duplicate address(its managemnet IP address fo WLC) is in used by a client with the mac address xx:xx:xx:xx:xx:xx.
Please chekc the management interface IP on each controller.
2. Looks like u enabled LAG on controller ?
Means you have connected more then one port from your controller to different switches.
regards -
Is weblogic 8.1 sp4 maps with 'Mac' address while installing.
I have issue with weblogic which is running currently, I have decided to copy the dump to different system and run. Will this work, does the new system require same IP address and 'Mac' address(Physical address) as old system. Is weblogic 8.1 installation maps with 'mac' address? please awnser.
Hi,
The license.bea file includes the ip addresses that are are authorized. This is not MAC sensitive. If you are not transitioning your IP address to the new system, you will need a new license.bea file. Either use elicense.bea.com or open a support case for this.
Regards,
-Adrian -
802.1x Authentication with Windows and MAC
Hello Team;
I have one SSID configured with 802.1x . The clients with Mac machines can directly join to the network by just entering the AD usrename and password. For the windows machines we need to do some configuration in the clients machines to work with the SSID.
Could you please clarify ? Whether the windows machines will just work like the Mac or the preconfiguration is mandatory to work windows with 802.1x.Hello Sreejith,
As per your query i can suggest you the following steps-
No, the preconfiguration is not mandatory to work windows with 802.1x.To enable 802.1x authntication on wireless follow the steps-
1.Open Manage Wireless Networks by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then, in the left pane, clicking Manage wireless networks.
2.Right-click the network that you want to enable 802.1X authentication for, and then click Properties.
3.Click the Security tab, and then, in the Security Type list, click 802.1X.
4.In the Encryption Type list, click the encryption type you want to use.
On wireless networks, 802.1X can be used with Wired Equivalent Privacy (WEP) or Wi‑Fi Protected Access (WPA) encryption.
5.In the Choose a network authentication method list, click the method you want to use.
To configure additional settings, click Settings.
Hope this will help you. -
PEAP authentication with MAC filtering
Hi,
I have an SSID, which required mac filtering as first level of security and Radius authentication also. I have done necessary configuration in ACS and WLC. In ACS, the rule for MAC filtering is taking a hit, but the users are not asked for credentials. The wireless association also fails. The mac addresses are saved in End station filter on ACS.
Attached document has the complete configuration which I performed. Please let me know what I am missing here. Thank you.
Regards,
Madhan kumar GHi,
as per maldehne you have to play with the service type.
check this discussion: http://goo.gl/R9E8ae
To the authentication policy you have to add a 'service type' attributes and check based on that attribute.
based on maldehne as per the past discussion the service type value in the rule condition should be:
For MAC filtering: value should be: call check
For 802.1x: value should be : Framed
Note that the MAC filter rule should come first.
Hope this helps.
Regards,
Amjad -
802.1x deployment with MAC filtering
Hi All
I read "Enhance your 802.1x deployment security with MAC filtering" on NAP blogs with link as below.
http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx
I am wondering this tip might not be correct somehow and would like to know how to imployment it correctly.
First of all, there is only a "Verify Caller ID" field in "dial-in" tab of user properties, not "Calling Station ID". I tried to add MAC address in this field and the authenticaiton works.
As the description of the tip, we can add multiple MAC addresses in that field but it doesn't work. I tried to use
"AA-BB-CC-DD-EE-FF | BB-AA-FF-EE-DD-CC" format as multiple MAC address and IAS always responce error with wrong calling staiton ID. Does anyone know how to correctly add multiple MAC addresses in "Verify Caller ID"?
ThanksHi Sam
Thank you for your reply.
I would like to explain why I want to use multiple MAC addresses authenticaiton for an account on a singel AD.
Genereally, 802.1X can be imploymeted for wired and wireless authenticaiton on many network devices in a company or entriprise. An employee in a company or entriprise is supposed to have only one account but might have multiple devices such as a PC, laptop, or PDA. For the convenience of authenticaiton imployment, I think I should only create an account for that person and make a MAC filtering for any devices he is autrorized to use.
I had tried the first example you mention but it didn't work. The switch and wireless gateway I used for test only sent one MAC address (calling station ID) to AD and AD only recognized the first MAC address of all MAC addresses I key in. Of course, your example can be succesful if the device sends multiple MAC addresses simultaneously because AD thinks the those "MAC addresses" is just one string or one calling staiton ID. But that's is not what I want.
Anyway, I will try the second way you suggest.
Thanks a lot. -
Hi,
I have successfully configured the multiple SSID in the Access-point. But I am not able to achieve my objective. I want to allow only one user laptop to connect with this SSID. Currently I have applied the max session configuration but I want to bind the MAC address with this SSID. So that on the base of MAC address users can connect with SSID EMGAS which is configured for WEP.
dot11 ssid EMGAS
vlan 24
max-associations 2
authentication open
guest-mode
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
encryption vlan 1 mode ciphers tkip
encryption vlan 25 mode ciphers tkip
encryption vlan 24 key 1 size 40bit 7 88953EF67928 transmit-key
encryption vlan 24 mode wep mandatory
ssid EMGAS
ssid GUEST
ssid WAP
dot11 ssid EMGAS
vlan 24
max-associations 2
authentication open
guest-mode
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
encryption vlan 1 mode ciphers tkip
encryption vlan 25 mode ciphers tkip
encryption vlan 24 key 1 size 40bit 7 88953EF67928 transmit-key
encryption vlan 24 mode wep mandatory
ssid EMGAS
ssid GUEST
ssid WAP
Kindly assist me how to achive the MAC base restriction in the SSID (EMGAS).You can do an ACL and block it from the AP. (See below)..
But to do it by SSID I think you will need a radius server ...
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008058ed26.shtml -
I've been using MAC filtering as part of my home network wireless security for years. This means inputting the MAC address of every device and computer that I want to have connect to my network. So I get my new WiFi + 3G iPad on May 28th and look in Settings to find the MAC address so I can input it into my router info. The router (D-Link) says that it's not a valid MAC format, presumably because it begins with E8 instead of the 00 that all my other devices have. I ended up having to disable MAC address filtering in order to have my iPad connect to my WiFi network. Does anybody have any comments or ideas about how I can get the router to recognize a MAC that begins E8:06 etc.?
Would appreciate any help. Thanks.
GlenysI am using MAC filtering on my network using a Linksys router (WRT300N) and had no problems adding our iPad to the MAC table. Also, if I'm not mistaken, the first portion of a MAC address is unique to the manufacturer, so unless all of your wireless devices are from the same manufacturer (at least the wireless component of the device), then it isn't likely that all of your MAC addresses will start with the same digits. Make sure when you enter the MAC address that you include the colon in between each pair. My Linksys won't accept the MAC address without them. As someone else recommended, you may also want to see if there is a firmware update for your router that addresses this issue. Good Luck.
Maybe you are looking for
-
ICal alert 49 minutes off - how to fix?
I have a new problem. My iCal alert set for 35 minutes before the event finally came up 14 minutes after the event. I entered the event into iCal on my MacBook Pro (OSX 10.7.5); iCloud transferred it to my iPhone correctly, but the MBP gave me the
-
I lost my photos on my IPhone 5 when trying to learn to sync. Can they be retireved or are they gone forever?
-
Album artwork isn't displaying on some songs
I wanted to put a song on my iPod Touch. I still have the 5.0 software. The song wasn't going onto my iPod so I canceled it then it started syncing my old playlists that I had deleted off of my iPod. Then I went onto my music app and the album artwor
-
When I attempt to download 7.2, I am taken immediately to the "Thanks for downloading" page even though no download has occurred. I'm using WinXP Media Edition w/ Service Pack 2, Firefox 2.x (I added itunes.com to trusted site list, allowed cookies,
-
Large black regions obscure CNiGraph3D plots
I am trying to plot 3D mesh data in dynamically created CNiGraph3D objects within a modal Wizard window in an MDI application. The Wizard window is a CPropertyPage object within a CPropertySheet (in Wizard mode). The meshes are being viewed in the XY