802.1X + MAC

Hi all,
Is there any resources that I could refer on if I want to do 802.1x & MAC
authentication for a particular user via Cisco Secure ACS 4.2? Our
management would like to have double authentication on the LAN whenever our
staff wants to connect to network, they will need to authenticate first via
802.1x and follows by MAC authentication after that. If 802.1x is ok but the
MAC authentication is failed then, the staff will not even able to connect
and they need to inform network administrator for help.
Hopefully any one of you able to give me advices and guide.
Thanks very much,
Regards,

Have you considered machine authentication, with machine access restrictions? If all your end clients are windows based you can leverage a group policy to force machine authentication. On your ACS setting you can enable machine access restrictions and force any client that authenticates with peap or eap-tls to fall under this condition.
Thanks,
Sent from Cisco Technical Support iPad App

Similar Messages

  • 802.11 MAC counters high values

    Hi,
    I have a WLC 2106 with 3 APs.  Everything works and users can connect, but the throughput seem to be lower than it should (it is around 8Mbps and should be around 30-50Mbps).  And all speed and duplex has been accounted for.
    I need help trying to understand the stats that I see for the 802.11 MAC counters I under the Wireless APs.on the controller.
    That screenshot is attached.  I see high numbers for the following areas:
    - Tx Failed Count
    - RTS Failure Count
    - FCS Error Count
    Can someone explain what these mean and what could cause this?  Maybe these are normal and not a concern.
    And if these values could result in low throughput and higher than it should latency?
    Thank you very much!
    -rya

    any ideas please?
    -rya

  • 802.11 MAC Counters

    Hi,
    I wonder how I can learn information 802.11 MAC Counters from the WLC (picture attached below).
    My questions are:
    1. Do this 802.11 MAC Counters counted based on the access point experience only? not by the client? I mean this statistics only feeled by the AP?
    2. What is the normal value / standard value for this Counters? is it they all should be zero ''0'' except "Tx Fragment Count"?
    If you note a high count of retries, it is probably due to a high number of collisions, right?.
    and High numbers of RTS/CTS may indicate frame errors and bad link quality, correct?
    3. I see that Multicast Tx Frame Count is quite high but we dont need multicast communication. Can I disable the access point sending multicast packet? Because on my perception this too consume bandwidth right?
    Thank you folks...

    Hi,
    This is m AP perspective.
    High number of retries indicates bad link quality.
    Multicast frames are used if any multicast app is used. (windows file sharing uses multicast for example)
    If you have "high" number of retries or not all depends on the total number of frames sent/received. If you have 10 millions of frames sent then 10 thousand retried frames is not considered an issue at all.
    HTH
    Amjad
    Sent from Cisco Technical Support iPad App

  • Windows 2012 r2 802.1X MAC Address bypass configuration

    I am setting up MAB for my environment and I want to make sure I am setting it up correctly, as I see some articles stating there is a reg edit needed and others that don't mention it at all.
    I have Dell PowerConnect switch with 802.1X authentication working for my Domain Computers.
    I now want to allow non-802.1x capable devices to be assigned the correct vlans (Printers, IP Phones, etc).
    I have created a user account in AD for the device, using lowercase MAC Address for the username and password.  
    I have set the switchport to allow MAB
    I have created a NPS Network Policy for one of the devices and assigned the groups it belongs to and set Authentication Method to: Unencrypted (PAP,SPAP).
    I keep receiving this error in the logs "The user attempted to use an authentication method that is not enabled on the matching network policy"
    Does anyone have advice or can direct me to a nice guide/checklist of all the areas that need to be set to allow this to happen?

    You've posted in the Print/Fax forum, but I can see you've also posted in the NAP forum. You'll likely get a better response over there, so maybe you should delete this question in here..
    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

  • 802.1x mac based authentication

    We have Cisco ACS 3.3 is there a way to do authentication based on mac address, instead of username and password? We are looking to stop things such as user purchased access points and what not. Any info would be great.

    Yes you are right, I misunderstood you. I was under the impression that you were talking about doing MAC based authentication on your AP's, not the switches. That is why I made mention to port security.
    The 2 options would be standard port security or 802.1x port security if you switches support this.
    In order to use the 802.1X port security, your switch would need to support it and the clients connecting to the switch would require a supplicant (EAP-TLS, EAP-TTLS, etc) in order for them to work, not by MAC address alone.
    You can configure standard port security on the switch which will accomplish your intentions and not even need to use the ACS server.
    standard port base security by MAC:
    http://www.cisco.com/en/US/products/hw/switches/ps663/products_configuration_guide_chapter09186a008007d3ce.html
    802.1x port based security:
    http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801a6c72.html

  • 802.1x: MAC Authentication Bypass

    Hey sorry for keeping bugging you guys...
    So I am configuring this Bypass thing on my 3750 switch. It works fine. It seems the switch will send a access request to the radius server (I use FreeRadius) with the username/password both as the MAC address of the deivce.
    However my dilema is that I have 200+ these devices. I can easily create a user group with MAC starting with 00a008 (which are the first 3 octets of the MAC addresses), however it's impossible to include each of the MAC address as the password!
    So my question is that whether there is a way to configure the switch use a static string as the password for all the devices using MAC Authentication Bypass?
    Thank you!!
    Difan

    Difan:
    I went through your post  and understand that you are in a process of configuring 802.1x with MAB in such way so that you use custom password (except Mac address) for all users OR shared password string that should be sent by the switch but this is not possible.
    Reason: Switch only send the device Mac address as the username and password. The user name should be the mac address of the client and the password should be same as username and this can't be change on cisco switches.
    I have also attached a document regarding MAB for your better understanding.
    This forum is only for you guys...keep bugging us
    HTH
    JK
    Pls rate helpful posts-

  • 802.1x MAC authentication

    Hi,
    I've been searching for the right solution for my problem on an on for the last week on this forum and other sites. I didn't get a clear answer so here I am posting it:
    Is it possible to do MAC-based authentication and VLAN assignement with 802.1x against a RADIUS server? _I know_ you will give me the VMPS solution wich I have already taken into consideration, but I will rather do it with 802.1x if it is possible for a number of reasons.
    I'm not looking to do port filtering (to allow only one MAC address defined in the switch). The switch should interogate the RADIUS server if the MAC has access and what VLAN should be placed on; all that by means of 802.1x. Can it be done?
    Thanx.
    Gabi.

    Yes, the switch will merely pass the 802.1x from the client to the Radius, the bulk of the configuration is done on the server. At the switch it's called "Using 802.1X with VLAN Assignment". Here is a link on a cat4000 on how to configure 802.1X with VLAN assignment:
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_25a/conf/dot1x.htm#wp1142124
    But you can find configuration guid on other platforms through UniverCD:
    http://www.cisco.com/univercd/home/home.htm
    And here is a link on Using a RADIUS Server to Assign Users to VLANs:
    http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1200/accsspts/b1237ja/i1237sc/s37vlan.htm#wp1038739

  • 802.1x Mac-Adress Based Authentication

    I am wondering if we are going to see or now have the ability to authenticate hosts on the lan with something other than a Username / Password? I am mostly concerned with ports on my network that the end device is a non 802.1x compliant device. Anyone have any insight as to what others are doing? Currently i am running ACS 3.3.2 and I am very succesful in deploying 802.1x to ports on my LAN, however we run a mix of unix based devices which are vendor supported and printers are another source of concern.

    We had pretty good luck using a Cold Fusion front end that forces users to authenticate with their AD credentials. It pulls the MAC address and host name and user/machine details and puts them in an ODBC database.
    We modified the sample stub routine to have the CSDB stub routine add the MAC to the local database in the PAP field.
    Kind of a nice compromise of identity and machine based authentication without the complexities of PEAP/EAP-FAST etc.

  • AEBS 802.11n (Mac + PC) question

    i originally installed my Airport to work with my MacPro under OS X, a few weeks ago, and the other day i just instaleld the software for windwos so i could manage printers and drives and the network under XP.
    i get this notification:
    AirPort Base Station Update 2007-002 for Windows
    if i updat eit under windows does it have affect on the basestation or is it simply software for the windows utility?
    thank you!!

    if i updat eit under windows does it have affect on the basestation or is it simply software for the windows utility?
    AirPort Base Station Update 2007-002 for Windows provides the updates for the following AirPort Utilities:
    o AirPort Utility
    o AirPort Base Station Agent
    o AirPort Disks Control Panel

  • High 802.11 MAC Counters Errors on WLC

    When I log into our WLC I see a very high TX Failed, ACK Failure, RTS Failure and FCS Error Counts. Is this normal? How can I troubleshoot this problem? We have 10 LAPs that are in the same network as the managed and ap manager interfaces on the WLC. Thanks.

    Quantify very high please. Truly very high error rates usually are due to multipath issues in your RF network. However, MTU size can also have an effect. If you could, please send over a list of errors from a 10 minute slice of time under normal load. This will assist us in understanding your network. Also, please include client device types and overall network environment on the RF side.

  • Will older macs ever work with 802.11n

    Just wondering if the requirements for 11n is just a matter of buying a new network card or does the hardware also have to support it as well. I ask only because I have a G4 & G5 on my existing airport network. Have a MacBook Pro also on network. I would like all of them to be at the same speed if possible.
    multiple macs   Mac OS X (10.4.8)  

    retouch4food, Welcome to the discussion area!
    As you undoubtedly know from reading the "Help & Terms of Use" for this area, we are all Mac users like yourself. Therefore we have no special knowledge of future Apple plans or products. Also the discussion of future plans and products is forbidden in this discussion area.
    But... based on past history... it is very doubtful that you will see any type of 802.11n upgrade for existing non-802.11n Macs. 802.11n depends on multiple antennas to perform it's magic and it would be very difficult to change built-in antennas in the existing Macs.
    With all that said... if you want to give your non-802.11n capable Mac 802.11n access, the best solution will probably be an Ethernet 802.11n adapter.

  • Sg300 - 802.1x NPS - mac authentication not working

    I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
    Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
    My current port configuration on the SG300:
    interface fastethernet1
     dot1x guest-vlan enable
     dot1x max-req 1
     dot1x reauthentication
     dot1x timeout quiet-period 10
     dot1x authentication 802.1x mac
     dot1x radius-attributes vlan static
     dot1x port-control auto
     switchport mode access
    On the Windows NPS server there is following error to see:
    Authentication Details:
        Connection Request Policy Name:    Secure Wire
        Network Policy Name:        -
        Authentication Provider:        Windows
        Authentication Server:        myradius.local
        Authentication Type:        -
        EAP Type:            -
        Account Session Identifier:        30353030399999
        Reason Code:            1
        Reason:                An internal error occurred. Check the system event log for additional information.
    There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...

    Still not working.
    I tried different settings and (also older) software versions on the SF302-08P.
    Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
    The NPS reports following error:
    Schannel:
    The following fatal alert was received: 40.
    EventID 36887
    If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
    ... is this a bug on the SF302-08P?

  • Enabling 802.1x and MAC Authentication Bypass on ACS 4.2

    Hi experts,
    I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
    i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
    Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
    ii. If it is possible, any reference that I can check on how to configure this?
    The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
    Hope anyone here could help me on this.
    Thanks very much,
    Daniel

    With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
    Specific info is here:
    <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
    Hope this helps,

  • Simple : Which src MAC address when WLC bridges 802.11to 802.3 ?

    When a WLC bridges 802.11 to 802.3, after extracting the original 802.11 frame from LWAPP, does it put the 802.11 senders
    MAC address as the source addr in the new 802.3 frame ?
    Or does it put the WLC's AP manager interface ? (Or the WLC's Management Interface) ?
    If you refer to :-
    http://www.cisco.com/en/US/docs/wireless/technology/controller/deployment/guide/dep.html#wp1050985
    One of the bullet points reads :-
    After processing the 802.11 MAC header, the WLC extracts the payload (the IP packet from Host A), encapsulates it into an Ethernet frame, and then forwards the frame onto the appropriate wired network, typically adding an 802.1Q VLAN tag.
    Should it include :-
    and adds the MAC address of the Wireless client as the SOURCE MAC ADDRESS to the outgoing Ethernet Frame??
    Also, will an ARP for a wireless client yeild the mac address of the WLC or the AP ???
    Thanks

    It looks like the src address of the original 802.11 client goes to the 802.3 frame as the source.
    So am I correct in thinking that (in a flat topology, no L3 routing) the WLC will appear as to an attached switchport as trunk
    (not necessarly 802.1q, but usually) with  multiple mac address learned from it.
    Any host on the LAN will send a packet for DEST MAC, which will eventually be SWITCHED (via L2 switching), upto the WLC.
    The WLC will then send it over lwapp to the AP, and the AP will send it to the client.
    But as far as the mac-address-table is concerned of any switch directly attached to the WLC, it will see
    all client MAC address for ALL wireless stations for ALL AP's... Correct ?
    Thanks

  • HELP! I NEED TO CONNECT WINDOWS VISTA AND MY MAC TO AIRPORT EXTREME !!!!!!!

    *Im getting frustrated !*
    Specs:
    I just bought an airport extreme (802.11n)
    Mac os X 10.5.4 & Windows Vista
    I want to connect the airport wirelessly to my mac and some other wireless devices but also connect it through my D-link DSL-302G internet modem. So what i exactly want to do is airport via ethernet cable to DSL modem then DSL modem via USB to my windows vista PC.
    Problem: There is only one ethernet plug on both DSL modem and airport extreme. On my windows vista i can't figure out how to use the internet using the USB cable.
    By the way, my windows PC DOES not have a wireless card.
    Since this also associates with windows --> So if you cant help me with the windows side of things, at least give me a link .. :D:D:D:D:D

    Sounds like you've got an Airport Express, not an Airport Extreme!
    The Extreme has 4 ethernet ports, and would do exactly what you want - not sure about the Express, as I've never used one.
    Try posting a new thread, asking about sharing an internet connection using an Airport Express.
    Message was edited by: clockworks

Maybe you are looking for