802.1x Mac-Adress Based Authentication

I am wondering if we are going to see or now have the ability to authenticate hosts on the lan with something other than a Username / Password? I am mostly concerned with ports on my network that the end device is a non 802.1x compliant device. Anyone have any insight as to what others are doing? Currently i am running ACS 3.3.2 and I am very succesful in deploying 802.1x to ports on my LAN, however we run a mix of unix based devices which are vendor supported and printers are another source of concern.

We had pretty good luck using a Cold Fusion front end that forces users to authenticate with their AD credentials. It pulls the MAC address and host name and user/machine details and puts them in an ODBC database.
We modified the sample stub routine to have the CSDB stub routine add the MAC to the local database in the PAP field.
Kind of a nice compromise of identity and machine based authentication without the complexities of PEAP/EAP-FAST etc.

Similar Messages

  • Using mac-adresses for authentication

    How do we configure our controllers/radius-servers to use MAC-addresses instead of authenticate against a certain group in the AD? We would, if possible, like to combine these two ways of authentication in on SSID.
    We're running 7.0.116.0 on our controllers (5500-series) and our radius-servers are one W2k8 and one W2k3.

    On wireless we might manage to avoid MAC-authentication altogether. The possible exception is about 20 devices which can handle our network as it is today but where all the default policies on our domain causes a lot of extra work.
    On the wired network we haven't got any protection what so ever today. We have now started the process of separating out critical equipment and try telling a CT-scanner (I work at a hospital) that it's got to use certificates ;-) The plan for all regular computers is to use the same (though slightly modified) policy as we're using for wireless today but that leaves all the "weird" medical devices which don't have antivirus, can't handle certificates and generally don't do security... In the end the medical equipment will end up on one set of vlans and the regular computers on another with a firewall regulating access.
    Since we're starting with the wireless I asked here :-)

  • Wireless Mac-Adress Filtering via Radius Bypassed

    Hello
    i have two Mac-adress based filtered WLAN configured plus one Guest SSID.
    The mac-adress filtering is linked to a radius server faut mac verification
    When i enable Fast-SSID change (globally for controller) i can switch from guest ssid to mac-filtered SSID without radius validation of my mac.
    If i disable fast-SSId change, i cannot switch between, and radius return reject for my MAC@
    the problem is i have some iPhones switching between two SSID --> i have to leav Fast-SSID change activated, if not iPhones can't connect to SSIDs ...
    ( as stated in : https://supportforums.cisco.com/docs/DOC-21729 )
    My version : 7.2.103.0
    Does anybody can confirm this problem ?
    Thanks,
    regards,
    Guillaume

    you're hitting this bug, update to fixed code.
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCub00341

  • 802.1x mac based authentication

    We have Cisco ACS 3.3 is there a way to do authentication based on mac address, instead of username and password? We are looking to stop things such as user purchased access points and what not. Any info would be great.

    Yes you are right, I misunderstood you. I was under the impression that you were talking about doing MAC based authentication on your AP's, not the switches. That is why I made mention to port security.
    The 2 options would be standard port security or 802.1x port security if you switches support this.
    In order to use the 802.1X port security, your switch would need to support it and the clients connecting to the switch would require a supplicant (EAP-TLS, EAP-TTLS, etc) in order for them to work, not by MAC address alone.
    You can configure standard port security on the switch which will accomplish your intentions and not even need to use the ACS server.
    standard port base security by MAC:
    http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a008007d3ce.html
    802.1x port based security:
    http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801a6c72.html

  • 802.1x MAC authentication

    Hi,
    I've been searching for the right solution for my problem on an on for the last week on this forum and other sites. I didn't get a clear answer so here I am posting it:
    Is it possible to do MAC-based authentication and VLAN assignement with 802.1x against a RADIUS server? _I know_ you will give me the VMPS solution wich I have already taken into consideration, but I will rather do it with 802.1x if it is possible for a number of reasons.
    I'm not looking to do port filtering (to allow only one MAC address defined in the switch). The switch should interogate the RADIUS server if the MAC has access and what VLAN should be placed on; all that by means of 802.1x. Can it be done?
    Thanx.
    Gabi.

    Yes, the switch will merely pass the 802.1x from the client to the Radius, the bulk of the configuration is done on the server. At the switch it's called "Using 802.1X with VLAN Assignment". Here is a link on a cat4000 on how to configure 802.1X with VLAN assignment:
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_25a/conf/dot1x.htm#wp1142124
    But you can find configuration guid on other platforms through UniverCD:
    http://www.cisco.com/univercd/home/home.htm
    And here is a link on Using a RADIUS Server to Assign Users to VLANs:
    http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1200/accsspts/b1237ja/i1237sc/s37vlan.htm#wp1038739

  • MAC-Based Authentication

    I am sorry if this has been asked before or it is the wrong place to ask this.
    I just want to know how secure is MAC-Based Authentication on an AP340 access-point (not bridge) with version 11.07.
    I've done this by adding 'Dest MAC Address' in 'Address Filters' under 'Association' in 'Setup'.
    Also selected 'Disallowed' for 'Default Unicast Address Filter' for all the relevant authentication types in 'Advanced' for 'AP Radio' of the 'Network Ports' in 'Setup'.
    Thanks for any suggestions.

    If an attacker has a network analizer, they can see the MAC address in use (even if WEP is being used as the MAC must not be encrypted)
    Some 802.11 NICs allow the user to configure a MAC address into the NIC.
    So the attacker *could*:
    1. observe a valid NIC in use
    2. program that MAC into their NIC
    3. Wait till the valid user has gone home
    4. Use the NIC they have programmed to access your network from the safty of the parking lot.
    LEAP or VPNs provide a much more secure solution

  • Mac adress authentication with Radius

    Hello all
    we have an WiFi architecture based on two Radius servers (ACS 3.2)
    We make a Mac adress authentication with WEP on these Radius servers. Ours Wirelless cards are Proxim Orinoco. When we used the user and the passord identified by the mac adress manualy that works.
    But, the authentication by Mac adress with the wireless card don't work. The log on the radius servers are "CS PASSWORD INVALID".
    Ideas ?
    Regards

    First ensure the password on the access point and the authentication server is the same. I have had this trouble getting authenitcated with ACS for admin authentication. Installing it on another machine made it work. So try uninstalling ACS completely using the recovery CD and reinstall it to check if this works.

  • 802.1x Machine Based Authentication - Password expired

    Hi,
    I would like to ask 1 question about machine based authentication on 802.1x.
    1.We are deploying 802.1x on wired user.
    2.Some user are using machine based authentication in order to authenticate their port.
    3.However, after the user password expired, the user need to change their password and then the machine are unable to authenticate. The error i got is "External DB user invalid or bad password". Then switch assign the user to Guest Vlan
    4.But, once i plug out the cable and plug in back the UTP cable after the user login, the switch will assigned the user to proper VLAN.
    5.User wont be able to access their share drive n etc since the guest vlan only have access to the internet.
    5.Anyone have any idea what is happening? It seems that the machine is sending the old password during authentication process to the ACS.
    Anybody can shed a light to me. Thanks.

    This should certainly work with that rev. On your passed (or failed) auth log, you should see the username of the session authenticating. If you see the FQDN of the machine, this is a machine auth. Also, machine-auth typically executes before the GINA is displayed to the user. It sounds like machine-auth is failing and we need to determine why. Has this machine been away from the domain for long?
    This also might help:
    http://supportwiki.cisco.com/ViewWiki/index.php/802.1x_authentication_with_Cisco_Secure_Access_Control_Server_fails_to_work_for_Microsoft_Windows_XP_PC

  • 802.1x TLS (Machine certifcate) authentication in Snow Leopard

    Hi,
    In our company we are using 802.1x TLS authentication for WLAN and in some LAN ports. We are have been delivering machine certificate to our PCs for a while without problems and these are using the certificate to authenticate themselves before login to the network.
    We would like to deliver the same user experience to mac users but we are having sever problems to configure them. Our mac users use Snow Leopard and the few references I found on the internet regarding 802.1x TLS authentication is for Leopard or previous versions, where the 802.1x and Keychain configuration is quite different.
    We do have a proper machine certificate (with the correct usages, SAN, etc) and it´s related AD object provisioned. I have create the 802.1x profile as "User Prfile" and as a "System Profile" with the same results
    I add the Client logs below but what I don´t understand id why the client is sending it´s going to use MSCHap when that is not the case.
    <key>TTLSInnerAuthentication</key>
    <string>MSCHAPv2</string>
    Lastly the Keychain has also a weird behavior. If we import a Root CA in the "login" and/or "System" keychain, mark is as "always Trust" and later we import a certificate created by this Root CA, the keychain UI insist that the certificate "was signed by an unknown authority". For the logs below that does not seams the reason why the client is not able to use the 802.1x TLS but in any case that is a bug.
    Client logs:
    2010/05/14 10:37:12.872405 update_configuration
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>AcceptEAPTypes</key>
    <array>
    <integer>13</integer>
    </array>
    <key>Description</key>
    <string>Automatic</string>
    <key>EAPFASTProvisionPAC</key>
    <true/>
    <key>EAPFASTUsePAC</key>
    <true/>
    <key>TLSIdentityHandle</key>
    <data>
    [Removed]
    </data>
    <key>TLSTrustedCertificates</key>
    <array>
    <data>
    [In here we have our Internal Root CA we use to create Machine certificate and also to create the certificate used in our IAS Server (the RADIUS)
    </data>
    </array>
    <key>TLSVerifyServerCertificate</key>
    <true/>
    <key>TTLSInnerAuthentication</key>
    <string>MSCHAPv2</string>
    </dict>
    </plist>
    2010/05/14 10:37:12.968769 link up
    2010/05/14 10:37:12.968862 Associated SSID [Removed SSID] BSSID [Removed BSSID]
    2010/05/14 10:37:12.972850 Receive Packet Size 77
    Ether packet: dest f8:1e:df:e4:88:5a source 0:11:5c:c7:14:90 type 0x888e
    EAPOL: proto version 0x2 type EAP Packet (0) length 59
    EAP Request (1): Identifier 1 Length 59
    Identity (1)
    length 59 - sizeof(*rd_p) 5 = 54
    [Removed. In here there is our networkid,nasid and portid ]
    2010/05/14 10:37:12.972955 Supplicant (main) status: state=Connecting
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>ClientStatus</key>
    <integer>0</integer>
    <key>ConfigurationGeneration</key>
    <integer>2</integer>
    <key>DomainSpecificError</key>
    <integer>0</integer>
    <key>Mode</key>
    <integer>1</integer>
    <key>SupplicantState</key>
    <integer>1</integer>
    <key>Timestamp</key>
    <date>2010-05-14T08:37:12Z</date>
    <key>UniqueIdentifier</key>
    <string>[Removed]</string>
    </dict>
    </plist>
    2010/05/14 10:37:12.976795 EAP Request Identity
    2010/05/14 10:37:12.976819 EAP Response Identity [Removed, in here there is the Machine name as appears in the SAN of the certificate ]
    2010/05/14 10:37:12.976832 Transmit Packet Size 39
    Ether packet: dest 0:11:5c:c7:14:90 source f8:1e:df:e4:88:5a type 0x888e
    EAPOL: proto version 0x1 type EAP Packet (0) length 35
    EAP Response (2): Identifier 1 Length 35
    Identity (1)
    length 35 - sizeof(*rd_p) 5 = 30
    (Removed raw data with the SAN ]
    2010/05/14 10:37:12.977530 Supplicant (main) status: state=Acquired
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>ClientStatus</key>
    <integer>0</integer>
    <key>ConfigurationGeneration</key>
    <integer>2</integer>
    <key>DomainSpecificError</key>
    <integer>0</integer>
    <key>IdentityAttributes</key>
    <array>
    <string>networkid=[Removed our SSID]</string>
    <string>nasid=[Removed our WLANC ID]</string>
    <string>portid=29</string>
    </array>
    <key>Mode</key>
    <integer>1</integer>
    <key>SupplicantState</key>
    <integer>2</integer>
    <key>Timestamp</key>
    <date>2010-05-14T08:37:12Z</date>
    <key>UniqueIdentifier</key>
    <string>[Removed]</string>
    </dict>
    </plist>
    2010/05/14 10:37:13.022577 force renew
    2010/05/14 10:37:13.025323 stop
    * Does someone been able to use 802.1x TLS based authentication for Snow Leopard clients and is able to point me to the right direction?
    * Does Apple provide any documentation for this? (all I found is that I should contact the "Network Administrator" to get the mac configured!!!))
    * How can I make that a certificate issued by a "Private CA" is trsuted in Snow Leopard? All workarounds I found are not suitable for Snow Leopard
    Thanks
    Jofre

    Hi,
    some updates, besides the keytools UI issue and the strange logs seams that the request is reaching the RADIUS, a Windows IAS Server.
    If we compare a PC and A MAc we have the follwoing.
    PC:
    1 0.000000 IntelCor_c1:49:69 Cisco_c7:14:90 EAPOL Start
    2 0.030210 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748]
    3 0.034350 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748] (Repeated)
    4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
    5 0.135258 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748] (Repeated)
    6 0.142715 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, EAP-TLS [RFC5216] [Aboba]
    7 0.196988 IntelCor_c1:49:69 Cisco_c7:14:90 TLSv1 Client Hello
    8 0.213640 Cisco_c7:14:90 IntelCor_c1:49:69 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
    Continues OK
    While on a Snow Leopard are:
    44 39.196967 Apple_e4:88:5a Cisco_c7:14:90 EAPOL Start
    45 39.201062 Cisco_c7:14:90 Apple_e4:88:5a EAPRequest, Identity [RFC3748]
    46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
    47 39.209543 Cisco_c7:14:90 Apple_e4:88:5a EAPFailure
    after analizin the network traces we see that the different is on the 3rd EAP Packet:
    PC:
    4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAP Response, Identity [RFC3748]
    802.1X Authentication
    Version: 1
    Type: EAP Packet (0)
    Length: 40
    Extensible Authentication Protocol
    Code: Response (2)
    Id: 1
    Length: 40
    Type: Identity [RFC3748] (1)
    Identity (35 bytes): host/SAN-NAME01.INTERNALDOMAIN.COM
    Mac Snow Leopard:
    46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAP Response, Identity [RFC3748]
    802.1X Authentication
    Version: 1
    Type: EAP Packet (0)
    Length: 35
    Extensible Authentication Protocol
    Code: Response (2)
    Id: 2
    Length: 35
    Type: Identity [RFC3748] (1)
    Identity (30 bytes): SAN-NAME01.INTERNALDOMAIN.COM
    that difference prevents our RADIUS (IAS Server) to authenticate the device properly, with the error:
    User SAN-NAME01.INTERNALDOMAIN.COM was denied access.
    Policy-Name = <undetermined>
    Authentication-Type = EAP
    EAP-Type = <undetermined>
    Reason-Code = 8
    Reason = The specified user account does not exist.
    while in the PC case we have:
    PC:
    User host/SAN-NAME02.INTERNALDOMAIN.COM was granted access.
    Policy-Name = Allow Wireless Lan Access With Certificate
    Authentication-Type = EAP
    EAP-Type = Smart Card or other certificate
    * Question1: Is there a way to ensure that the Snow Leopard added the "host/" at the begining of the Identity?
    * Question2: Did someone been able to connect a Snow Leopard to a WLAN protected with 802.1x using TLS?
    Thanks
    Jofre

  • 802.1X + MAC

    Hi all,
    Is there any resources that I could refer on if I want to do 802.1x & MAC
    authentication for a particular user via Cisco Secure ACS 4.2? Our
    management would like to have double authentication on the LAN whenever our
    staff wants to connect to network, they will need to authenticate first via
    802.1x and follows by MAC authentication after that. If 802.1x is ok but the
    MAC authentication is failed then, the staff will not even able to connect
    and they need to inform network administrator for help.
    Hopefully any one of you able to give me advices and guide.
    Thanks very much,
    Regards,

    Have you considered machine authentication, with machine access restrictions? If all your end clients are windows based you can leverage a group policy to force machine authentication. On your ACS setting you can enable machine access restrictions and force any client that authenticates with peap or eap-tls to fall under this condition.
    Thanks,
    Sent from Cisco Technical Support iPad App

  • ActiveSync with Certificate-Based Authentication

    We are trying to setup ActiveSync with certificate-based authentication against Exchange 2010 SP2, but with no luck.
    What has been done so far:
    OWA over https works fine. A public, trusted certificate is in place.
    Setup ActiveSync against this Exchange server: works fine, using user name/password.
    Issued a user cert, signed with an internal CA, CA-cert successfully imported into al client devices.
    Created a new OWA-site with cert-based authentication (just to make sure it works), imported user certificate into a mac, visit this OWA site - cert-based authentication works fine.
    Now, with the configuration utility, created configuration profile with that user cert and an ActiveSync account, left password blank and chose the imported cert (p12) as authentication means.
    After installing that last profile the device keeps asking for a password and refuses to synchronize. Logs on the server show error 401.2, so I assume iPhone is ignoring the cert and is trying to use password-authentication instead.
    The devices tested were iPhone 3G with IOS 4 and iPad 2 with IOS 5.
    Any help will be greatly appreciated.
    Roman.

    No-one with this experience?
    We've done some network analysis (as much as was possible to decrypt) and could see, that the server sends an SSL-Alert (rejection?) to the client after the client presents the certificate.
    That explains why the client falls back to password-authentication, but it does not tell us why the server rejects the cert (that is accepted perfectly when accessed from a browser) in first place.

  • Port-Based Authentication on 877

    Hi 
    I have applied following commands to enable Port-Based Authentication but when I run command sh mac address-table it shows static mac on this port   (  xx    0000.xxxx.xxxx    STATIC      Gi1/0/3) .  
    authentication control-direction in
    authentication event fail retry 1 action authorize vlan xx
    authentication event no-response action authorize vlan xx
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication port-control auto
    authentication violation protect
    mab
    dot1x pae authenticator
    dot1x timeout quiet-period 10
    dot1x timeout tx-period 10
    dot1x timeout supp-timeout 10
    As I remove command authentication port-control auto then sh mac address-table  command shows me DYNAMIC MAC.
    Anyone can please let explain me why it is happing 
    Regards,

    Any input?

  • 802.11 MAC Counters

    Hi,
    I wonder how I can learn information 802.11 MAC Counters from the WLC (picture attached below).
    My questions are:
    1. Do this 802.11 MAC Counters counted based on the access point experience only? not by the client? I mean this statistics only feeled by the AP?
    2. What is the normal value / standard value for this Counters? is it they all should be zero ''0'' except "Tx Fragment Count"?
    If you note a high count of retries, it is probably due to a high number of collisions, right?.
    and High numbers of RTS/CTS may indicate frame errors and bad link quality, correct?
    3. I see that Multicast Tx Frame Count is quite high but we dont need multicast communication. Can I disable the access point sending multicast packet? Because on my perception this too consume bandwidth right?
    Thank you folks...

    Hi,
    This is m AP perspective.
    High number of retries indicates bad link quality.
    Multicast frames are used if any multicast app is used. (windows file sharing uses multicast for example)
    If you have "high" number of retries or not all depends on the total number of frames sent/received. If you have 10 millions of frames sent then 10 thousand retried frames is not considered an issue at all.
    HTH
    Amjad
    Sent from Cisco Technical Support iPad App

  • Mac-adress list of manufacturers only for access points

    hello,
    i'm going to look for forbidden access points at the ports of huge network. is there any document that can show me whether a mac adress is an access point or not ?

    If you want to do rogue access point detection then you have a few options:
    1. Scan suspected ranges for port 80 servers as almost every access point has web-based configuration.
    2. Cisco has provided a list of vendor mac address who make Access Points.
    This list is found in their
    "SAFE: Wireless LAN Security in Depth - version 2"
    whitepaper
    Check the link
    "http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a008009c8b3.shtml"
    The list is at the very bottom of the whitepaper
    "Table C-7 MAC OUIs Used by Access Point Vendors"
    "Table C-7 provides a partial list of MAC OUIs used by access point vendors. This table was obtained from the aptools site at aptools.sourceforge.net."

  • How to pass credentials/saml token access sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication

    How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication 
    Identity provider here is Oracle identity provider 
    harika kakkireni

    Hi,
    The following materials for your reference:
    Consuming List.asmx on a claims based sharepoint site
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
    Sharepoint Claims based authentication and Single Sign on
    http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
    Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
    Best Regards
    Dennis Guo
    TechNet Community Support

Maybe you are looking for

  • APEX Listener 2.0.1 does not restart on power-up

    APEX Listener 2.0.1 APEX 4.2.2 Oracle EE 11gR2 Linux RHEL 6.3 GlassFish 3.1.0 After rebooting Linux server with the above configuration, the APEX Listener needs to be restart via Glassfish. What may be causing this?  How can I get Glassfish/APEX List

  • Abap Report Performance

    One of our abap report is extremely slow, this report is used by all branches of our company and we are facing serious performance problem in this report. I have analyzed the problem and noted following things. 1) The report used "BSIS" table for a q

  • My message page is frozen while traveling with an international data plan. Cannot use my messaging. Help?

    Message page frozen while traveling in Italy. Have international data plan but cannot get or receive messages. How can I get off frozen page?

  • How to use the One-to-One mapping in Java Code

    Dear all: I have set the direct mapping and named query, and have written web service of login. I can login successfully. Now,I want learning about One-to-One mapping. I have setting the One-to-One mapping, then what can I do latter? I do not found a

  • Essbase Add-In on Citrix

    We are using the Essbase Add-in for Excel on Citrix and are experiencing a problems with retrievals if multiple sessions are launched. The problem occurs when a user opens up two sessions of Citrix/Excel and performs a retrieve in session 2, but then