802.1x authentication with mac address

Hi guys,
there is a strange requirement from one of our customer,
they want us to do 802.1x with mac address authentication and they dont want the pop-ups which ask
for username, password and domain.
is it possible??
can i avoid popping up the username password with 802.1x and that too with mac address???
Any help would be greatly appreciated
Thanks
Jvalin

Hi,
The feature which you are looking for is possible in case of wired 802.1x. This feature is called as the MAC-Auth Bypass and is done mostly if the client machine is not 802.1x capable. However nowerdays it is used even if the machine is 802.1x capable.In this we enter the MAC address of the machine in the user database e.g. Active Directory. When you connect the client machine to the Switch, if we have MAC-Auth Bypass enabled on the port, it would take the MAC address of the machine as the username without any prompt for username and password.
A windows server admin can easily push a group policy which disables the 802.1x on the client machine and it would only respond to the MAC-Auth Bypass.But first you would have to make sure your switch has the Mac-Auth Bypass in the IOS.
For more information, you can go to http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
Regards,
Kush

Similar Messages

  • Domain authentication with mac address restrictions

    I am in a branch office and I have one WLC 5508 and one ACS 4.2 with three WLANs:
    WLAN1 with SSID1: for company computers and laptops
    WLAN2 with SSID2: for ipads and tablets
    WLAN3 with SSID3:  for guests
    I am asked to configure WLAN2 as “WLAN2: Provides the Wi-Fi connectivity to ipads and tablets, with back end security using domain authentication with mac address restrictions.

    You would need to create a seperate policy and be able to have a seperation between the two policies... It's kind of hard to explain, but you would have for example:
    Policy 1:
    Wireless user on this SSID WLAN1
    AD on this AD Group (Machine)
    Policy 2:
    Wireless user on this SSID WLAN 2
    AD on this AD Group (USer)
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • 802.1x authentication with ACS 4.1 for MAC OSX

    Hi,
    I simply wanted to know if it's possible to have 802.1x authentication with MAC OSx on ACS Plateform 4.1?
    If yes, what pre-required on ACS and MAC OSx? Methods of authentification which are recommended ?
    I'm sorry, but i don't find documents which show validated test on 802.1x implementation method on ACS 4.1 with MAC OSx supplicant.
    Thanks in advance
    Best regards
    Thanks

    Yes, Refer to the below DOC
    http://support.apple.com/kb/HT2717
    Port settings and ACS configuration remain the same as you do it for windows based clients

  • WLC+LAP+ACS4.0 achieving 802.1x PEAP and MAC address authentication ?

    How to configure WLC + LAP + ACS4.0, achieving username and password authentication and MAC address at the same time

    This might help with the PEAP:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00807917aa.shtml
    MAC Authentication
    Add a MAC Address to ACS
    Complete these steps:
    1. From the ACS main menu, click on the User Setup button.
    2. In the User text box, enter the MAC address to add to the user database.
    Note: The MAC address must be exactly as it is sent by the AP for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is being reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.
    3. On the User Setup screen, enter the MAC address in the Secure-PAP password text box.
    Note: The MAC address must be exactly as it is sent by the AP for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is being reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.
    4. Check the Separate (CHAP/MS-CHAP) box.
    5. Enter a password for CHAP/MS-CHAP (this password should be different from the MAC address).
    6. Click Submit.

  • Cisco Aiornet 1042 with MAC address

    Hi,
    I have a Cisco Aiornet, model  AIR-AP1042N-E-K9.
    I need to configure the AP to only certain MAC access. 
    I'm doing the configuration through the console. 
    The wireless network is not showing up in devices, anyone know why?
    version 15.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname ap_disi
    logging rate-limit console 9
    enable secret 5 xxxxx.
    aaa new-model
    aaa group server radius rad_eap
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login default local
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local 
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    no ip routing
    no ip cef
    dot11 syslog
    dot11 ssid DISI-WLAN24
       authentication open 
    dot11 ssid DISIWIFI
       authentication open mac-address mac_methods 
       authentication key-management wpa version 2
       infrastructure-ssid
    dot11 guest
    username Cisco password 7 xxxx
    username Admin privilege 15 password 7 xxxx
    bridge irb
    interface Dot11Radio0
     no ip address
     no ip route-cache
     encryption mode ciphers aes-ccm 
     ssid DISI-WLAN24
     ssid DISIWIFI
     antenna gain 0
     speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
     station-role root
     l2-filter bridge-group-acl
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio1
     description AP SITAS
     no ip address
     no ip route-cache
     encryption mode ciphers aes-ccm 
     ssid DISIWIFI
     antenna gain 0
     peakdetect
     no dfs band block
     speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.
     channel dfs
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface GigabitEthernet0
     no ip address
     no ip route-cache
     duplex auto
     speed auto
     l2-filter bridge-group-acl
     no keepalive
     bridge-group 1
     bridge-group 1 spanning-disabled
     no bridge-group 1 source-learning
    interface BVI1
     ip address 192.168.0.252 255.255.254.0
     no ip route-cache
     ipv6 address dhcp
     ipv6 address autoconfig
     ipv6 enable
    ip default-gateway 192.168.1.254
    ip forward-protocol nd
    ip http server
    ip http authentication aaa
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1 
    access-list 700 permit 8830.8a24.7eb5   0000.0000.0000
    access-list 700 deny   0000.0000.0000   ffff.ffff.ffff
    snmp-server view dot11view ieee802dot11 included
    snmp-server community public view dot11view RO
    snmp-server location DISI
    snmp-server contact SITAS
    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
    snmp-server enable traps tty
    snmp-server enable traps entity
    snmp-server enable traps disassociate
    snmp-server enable traps deauthenticate
    snmp-server enable traps authenticate-fail
    snmp-server enable traps dot11-qos
    snmp-server enable traps switch-over
    snmp-server enable traps rogue-ap
    snmp-server enable traps wlan-wep
    snmp-server enable traps config-copy
    snmp-server enable traps config
    snmp-server enable traps syslog
    snmp-server enable traps cpu threshold
    snmp-server enable traps aaa_server
    snmp-server host 192.168.1.6 public 
    radius-server attribute 32 include-in-access-req format %h
    radius-server vsa send accounting
    bridge 1 route ip
    line con 0
    line vty 0 4
     transport input all
    sntp server 192.168.1.215
    sntp broadcast client
    end

    Please refer: http://www.cisco.com/c/en/us/td/docs/wireless/access_point/12-4-25d-JA/Configuration/guide/cg_12_4_25d_JA/scg12-4-25d-JA-chap16-filters.html#wp1034897

  • 802.1X Authentication with InTouch

    Dear Community,
    does anybody know if/when it's possible to use 802.1X authentication with the TelePresence InTouch 10?
    It perfectly works on the C/SX codecs and as long as the Panels are connected directly to the Codec, there is no issue. But on some codecs, direct pairing is not possible and therefore I would need 802.1X authentication from the panels itself.
    Thanks in advance!
    Best regards
    Alex

    Hello!
    We've just launched an Ask the Expert event on 802.1x
    https://supportforums.cisco.com/discussion/12463991/ask-expert-8021x-configuring-and-troubleshooting-javier-henderson
    Perhaps post your question with Javier as well!
    Thank you!

  • Palm Vx won't sync with Mac Address

    I am trying to sync my Palm Vx with mac address book. Changes or entries made in the address book show up on the Palm but changes or entries made on the Palm don't show up in the address book. Everything else syncs just fine.
    The conduit settings read as follows:
    Voice Memo: Synchronize
    Note Pad: Synchronize
    Memo Pad: Synchronize
    Media: Synchronize
    iSync Conduit: See Conduit Settings (Enable iSync for this Palm device is checked)
    Install: Install Files
    Backup: Backup
    I'm not sure what I need to do. Any suggestions.
    Additional info:
    iSync Version 2.3 (500.86)
    Palm Vx
    Mac OS X (10.4.8)
    Address book version 4.0.4
    HotSync Manager V 3.2

    I hope its OK to join my problem to this Post...
    I have a very similar problem, where all my contacts were delete from my computer Address Book and transfered (not sync) to the iPhone.
    Is there a fix...
    Thanks

  • Aironet 1100 authentication open mac-address problems

    I have a new C1100 series that is running 12.2(4). I am trying to get mac-address authentication to use my RADIUS Server (Funk SBR). I think I am close, but I have been close for about 12 hours now.
    I am using an ssid for the dot11Radio 0 inetface...
    interface Dot11Radio0
    no ip address
    no ip route-cache
    ssid INTECUSA
    authentication open mac-address sbr
    ssid tsunami
    authentication open
    guest-mode
    ...and I THINK I have the sbr list correctly defined.
    aaa group server radius default
    server 158.155.25.201 auth-port 1812 acct-port 1813
    aaa authorization network sbr group radius
    radius-server host 158.155.25.201 auth-port 1812 acct-port 1813
    ...The RADIUS server is up and responding client requests.
    ...and it looks as though the 1100 is trying to do the right thing, but I don't think I have the sbr method list correctly defined. I don't see any traffic actually go out over the network. Here are the debug messages...
    CiscoCS1100#show debug
    General OS:
    AAA Authorization debugging is on
    AAA Accounting debugging is on
    dot11 aaa:
    Mac Authentication debugging is on
    Accounting debugging is on
    (now I plug a card into a laptop.
    06:51:07: AAA/ACCT/EVENT/(0000013D): CALL START
    06:51:07: AAA/ACCT/NET(0000013D): Rec init, Session Id=126
    06:51:07: dot11_aaa_mac_auth: method_list: sbr
    06:51:07: dot11_aaa_mac_auth: method_index: 0xFFFFFFFF, req: 0x64EA28
    06:51:07: dot11_aaa_mac_auth: client->unique_id: 0x13D
    06:51:07: dot11_mac_process_reply: AAA reply for 000c.3002.1f57 FAILED
    06:51:07: dot11_aaa_upd_accounting: Updating attributes for user: 000c.3002.1f57
    Thanks,
    Bryan

    Thanks for the reply David, but there are no packets going out on the network to the AAA server. Also I think the debug messages I included were incomplete. I just tried to access the network (no setting were changed). here is the debug output. The message...
    *21:01:28: AAA/ACCT/NET(00000155): Method list not foundfailed; Cleaning the record up*
    Is why I think I am messing up. Again no traffic on the Ethernet side of the 1100 going to the RADIUS server.
    21:01:28: AAA/ACCT/EVENT/(00000155): CALL START
    21:01:28: AAA/ACCT/NET(00000155): Rec init, Session Id=150
    21:01:28: dot11_aaa_mac_auth: method_list: sbr
    21:01:28: dot11_aaa_mac_auth: method_index: 0xFFFFFFFF, req: 0x7AB8DC
    21:01:28: dot11_aaa_mac_auth: client->unique_id: 0x155
    21:01:28: dot11_mac_process_reply: AAA reply for 000c.3002.1f57 FAILED
    21:01:28: dot11_aaa_upd_accounting: Updating attributes for user: 000c.3002.1f57
    21:01:28: AAA/ACCT/EVENT/(00000155): CALL STOP
    21:01:28: AAA/ACCT/CALL STOP(00000155): Sending stop requests
    21:01:28: AAA/ACCT(00000155): Sending stop record for NET
    21:01:28: AAA/ACCT/NET(00000155): Method list not foundfailed; Cleaning the record up
    21:01:28: AAA/ACCT(00000155):acctdb->rec_count = 0..sending signal
    21:01:28: AAA/ACCT(00000155): Interface DB not enqueuedsuccess
    21:01:29: dot11_mac_auth_process: remove 000c.3002.1f57 from mac hold list
    Thanks again,
    Bryan

  • Controller detected its ip address by machine with MAC Address

    Hi
    I am getting error "Controller detected its ip address x.x.x.x using my machine with MAC address xx:xx:xx:xx:xx:xx"when i upgrade my Cisco Wireless Controller 5508 from 7.0.116.0 to 7.4.110.0. Any suggestion
    Regards

    Hi Mohammed,
    If you have more then one controller ??
    Could be:
    1.Error suggest that it hase detected a duplicate address(its managemnet IP address fo WLC) is in used by a client with the mac address xx:xx:xx:xx:xx:xx.
    Please chekc the management interface IP on each controller.
    2. Looks like u enabled LAG on controller ?
    Means you have connected more then one port from your controller to different switches.
    regards

  • Is weblogic 8.1 sp4 maps with 'Mac' address while installing.

    I have issue with weblogic which is running currently, I have decided to copy the dump to different system and run. Will this work, does the new system require same IP address and 'Mac' address(Physical address) as old system. Is weblogic 8.1 installation maps with 'mac' address? please awnser.

    Hi,
    The license.bea file includes the ip addresses that are are authorized. This is not MAC sensitive. If you are not transitioning your IP address to the new system, you will need a new license.bea file. Either use elicense.bea.com or open a support case for this.
    Regards,
    -Adrian

  • 802.1x Authentication with Windows and MAC

    Hello Team;
                  I have one SSID configured with 802.1x . The clients with Mac machines can directly join to the network by just entering the AD usrename and password. For the windows machines we need to do some configuration in the clients machines to work with the SSID.
    Could you please clarify ? Whether the windows machines will just work like the Mac or the preconfiguration is mandatory to work windows with 802.1x.

    Hello Sreejith,
    As per your query i can suggest you the following steps-
    No, the preconfiguration is not mandatory to work windows with 802.1x.To enable 802.1x authntication on wireless follow the steps-
    1.Open Manage Wireless Networks by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then, in the left pane, clicking Manage wireless networks.
    2.Right-click the network that you want to enable 802.1X authentication for, and then click Properties.
    3.Click the Security tab, and then, in the Security Type list, click 802.1X.
    4.In the Encryption Type list, click the encryption type you want to use.
    On wireless networks, 802.1X can be used with Wired Equivalent Privacy (WEP) or Wi‑Fi Protected Access (WPA) encryption.
    5.In the Choose a network authentication method list, click the method you want to use.
    To configure additional settings, click Settings.
    Hope this will help you.

  • PEAP authentication with MAC filtering

    Hi,
    I have an SSID, which required mac filtering as first level of security and Radius authentication also. I have done necessary configuration in  ACS and WLC. In ACS, the rule for MAC filtering is taking a hit, but the users are not asked for credentials. The wireless association also fails. The mac addresses are saved in End station filter on ACS. 
    Attached document has the complete configuration which I performed. Please let me know what I am missing here. Thank you.
    Regards,
    Madhan kumar G

    Hi,
    as per maldehne you have to play with the service type.
    check this discussion: http://goo.gl/R9E8ae
    To the authentication policy you have to add a 'service type' attributes and check based on that attribute.
    based on maldehne as per the past discussion the service type value in the rule condition should be:
    For MAC filtering: value should be:  call check
    For 802.1x: value should be : Framed
    Note that the MAC filter rule should come first.
    Hope this helps.
    Regards,
    Amjad

  • 802.1x deployment with MAC filtering

    Hi All
    I read "Enhance your 802.1x deployment security with MAC filtering" on NAP blogs with link as below.
    http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx
    I am wondering this tip might not be correct somehow and would like to know how to imployment it correctly.
    First of all, there is only a "Verify Caller ID" field in "dial-in" tab of user properties, not "Calling Station ID". I tried to add MAC address in this field and the authenticaiton works.
    As the description of the tip, we can add multiple MAC addresses in that field but it doesn't work. I tried to use
    "AA-BB-CC-DD-EE-FF | BB-AA-FF-EE-DD-CC" format as multiple MAC address and IAS always responce error with wrong calling staiton ID. Does anyone know how to correctly add multiple MAC addresses in "Verify Caller ID"?
    Thanks

    Hi Sam
    Thank you for your reply.
    I would like to explain why I want to use multiple MAC addresses authenticaiton for an account on a singel AD.
    Genereally, 802.1X can be imploymeted for wired and wireless authenticaiton on many network devices in a company or entriprise. An employee in a company or entriprise is supposed to have only one account but might have multiple devices such as a PC, laptop, or PDA. For the convenience of authenticaiton imployment, I think I should only create an account for that person and make a MAC filtering for any devices he is autrorized to use.
    I had tried the first example you mention but it didn't work. The switch and wireless gateway I used for test only sent one MAC address (calling station  ID) to AD and AD only recognized the first MAC address of all MAC addresses I key in. Of course, your example can be succesful if the device sends multiple MAC addresses simultaneously because AD thinks the those "MAC addresses" is just one string or one calling staiton ID. But that's is not what I want.
    Anyway, I will try the second way you suggest.
    Thanks a lot.

  • WEP with MAC address

    Hi,
    I have successfully configured the multiple SSID in the Access-point. But I am not able to achieve my objective. I want to allow only one user laptop to connect with this SSID. Currently I have applied the max session configuration but I want to bind the MAC address with this SSID. So that on the base of MAC address users can connect with  SSID EMGAS which is configured for WEP.
    dot11 ssid EMGAS
       vlan 24
       max-associations 2
       authentication open
       guest-mode
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption mode ciphers tkip
    encryption vlan 1 mode ciphers tkip
    encryption vlan 25 mode ciphers tkip
    encryption vlan 24 key 1 size 40bit 7 88953EF67928 transmit-key
    encryption vlan 24 mode wep mandatory
    ssid EMGAS
    ssid GUEST
    ssid WAP
    dot11 ssid EMGAS
       vlan 24
       max-associations 2
       authentication open
       guest-mode
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption mode ciphers tkip
    encryption vlan 1 mode ciphers tkip
    encryption vlan 25 mode ciphers tkip
    encryption vlan 24 key 1 size 40bit 7 88953EF67928 transmit-key
    encryption vlan 24 mode wep mandatory
    ssid EMGAS
    ssid GUEST
    ssid WAP
    Kindly assist me how to achive the MAC base restriction in the SSID (EMGAS).

    You can do an ACL and block it from the AP. (See below)..
    But to do it by SSID I think you will need a radius server ...
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008058ed26.shtml

  • WiFi issue with MAC address

    I've been using MAC filtering as part of my home network wireless security for years. This means inputting the MAC address of every device and computer that I want to have connect to my network. So I get my new WiFi + 3G iPad on May 28th and look in Settings to find the MAC address so I can input it into my router info. The router (D-Link) says that it's not a valid MAC format, presumably because it begins with E8 instead of the 00 that all my other devices have. I ended up having to disable MAC address filtering in order to have my iPad connect to my WiFi network. Does anybody have any comments or ideas about how I can get the router to recognize a MAC that begins E8:06 etc.?
    Would appreciate any help. Thanks.
    Glenys

    I am using MAC filtering on my network using a Linksys router (WRT300N) and had no problems adding our iPad to the MAC table. Also, if I'm not mistaken, the first portion of a MAC address is unique to the manufacturer, so unless all of your wireless devices are from the same manufacturer (at least the wireless component of the device), then it isn't likely that all of your MAC addresses will start with the same digits. Make sure when you enter the MAC address that you include the colon in between each pair. My Linksys won't accept the MAC address without them. As someone else recommended, you may also want to see if there is a firmware update for your router that addresses this issue. Good Luck.

Maybe you are looking for

  • ICal alert 49 minutes off - how to fix?

    I have a new problem.  My iCal alert set for 35 minutes before the event finally came up 14 minutes after the event.  I entered the event into iCal on my MacBook Pro (OSX 10.7.5); iCloud transferred it to my iPhone correctly, but the MBP gave me the

  • HT4236 I lost my photos on my phone.  Are they still hidden on my phone?  Can I retrieve them?

    I lost my photos on my IPhone 5 when trying to learn to sync.  Can they be retireved or are they gone forever?

  • Album artwork isn't displaying on some songs

    I wanted to put a song on my iPod Touch. I still have the 5.0 software. The song wasn't going onto my iPod so I canceled it then it started syncing my old playlists that I had deleted off of my iPod. Then I went onto my music app and the album artwor

  • Can't download 7.2

    When I attempt to download 7.2, I am taken immediately to the "Thanks for downloading" page even though no download has occurred. I'm using WinXP Media Edition w/ Service Pack 2, Firefox 2.x (I added itunes.com to trusted site list, allowed cookies,

  • Large black regions obscure CNiGraph3D plots

    I am trying to plot 3D mesh data in dynamically created CNiGraph3D objects within a modal Wizard window in an MDI application. The Wizard window is a CPropertyPage object within a CPropertySheet (in Wizard mode). The meshes are being viewed in the XY