ACS v4.1 PEAP and MAC Address Validation

Similar Messages

• WLC+LAP+ACS4.0 achieving 802.1x PEAP and MAC address authentication ?

  How to configure WLC + LAP + ACS4.0, achieving username and password authentication and MAC address at the same time

  This might help with the PEAP:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00807917aa.shtml
  MAC Authentication
  Add a MAC Address to ACS
  Complete these steps:
  1. From the ACS main menu, click on the User Setup button.
  2. In the User text box, enter the MAC address to add to the user database.
  Note: The MAC address must be exactly as it is sent by the AP for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is being reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.
  3. On the User Setup screen, enter the MAC address in the Secure-PAP password text box.
  Note: The MAC address must be exactly as it is sent by the AP for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is being reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.
  4. Check the Separate (CHAP/MS-CHAP) box.
  5. Enter a password for CHAP/MS-CHAP (this password should be different from the MAC address).
  6. Click Submit.

• Arp aging time on router and mac address aging time on switches set close t

  Hi,
  appreciate some advice on the following:
  what is the benefit of setting arp aging time on router and mac address aging time on switches close to each other?
  Thanks,
  Christina

  Hi,
  based on the below output, do you think implementing it will benefit? Thanks.
  C2950#sh int fa0/43
  FastEthernet0/43 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is 000d.5e11.4e2b (bia 000d.5e11.4e2b)
  MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
  reliability 255/255, txload 7/255, rxload 2/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
  input flow-control is off, output flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 933000 bits/sec, 149 packets/sec
  5 minute output rate 2981000 bits/sec, 263 packets/sec
  2819781393 packets input, 3782332886 bytes, 0 no buffer
  Received 266693 broadcasts (0 multicast)
  0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
  0 watchdog, 0 multicast, 0 pause input
  0 input packets with dribble condition detected
  4015025747 packets output, 2328228393 bytes, 0 underruns
  0 output errors, 0 collisions, 2 interface resets
  0 babbles, 0 late collision, 0 deferred
  0 lost carrier, 0 no carrier, 0 PAUSE output
  0 output buffer failures, 0 output buffers swapped out
  C2950#

• ISE and WLC 5508 IP and MAc address

  Hi!
  Is it possible that we recibe IP address and Mac address Client at the same time in ISE ?
  The wlc permits choose radius Call station ip type MAC or IP, but not both.
  Thanks you,

  If you are using dot1x then no, the mac address is sent since the client does not receive an ip address till authetication succeeds.
  Sent from Cisco Technical Support Android App

• How to set the IP and MAC address in C program?

  My working environment is Sun250 Server, Solaris 7 operating system. I encountered a problem ---- How to set the IP and MAC address in C program to make the system change it IP & MAC at runtime?
  Any idea is welcome! Thanks!

  Hi
  As a simplest possible solution, you can use the system command
  to run ifconfig that can set both the mac address and the IP address of the system. You will have to use setuid though.
  Or you can use the DLPI calls ( do a man DLPI or search for a
  Sun documentation on the same at http://soldc.sun.com) to write
  a pure C program.
  HTH
  Shridhar

• Client Identifier and MAC addresses

  Hello Everyone,
  I am migrating my DHCP services from an old SUN server to an OES Linux server. In the old SUN files, my client identifier and mac addresses have a leading pair. So if my mac address is 00:30:C1:57:44:09, it is entered in the SUN files like this: 01:00:30:C1:57:44:09. My question is, do I need to enter that extra pair in my host records for OES Linux DHCP? If I do or don't, does it matter?
  The reason I'm asking is that many of my older printers and even some of the newer ones are not picking up an address from the new DHCP server when the old one expires.
  Thanks,
  Toney.

  On 21/06/2010 19:46, toneyc wrote:
  > I am migrating my DHCP services from an old SUN server to an OES Linux
  > server. In the old SUN files, my client identifier and mac addresses
  > have a leading pair. So if my mac address is 00:30:C1:57:44:09, it is
  > entered in the SUN files like this: 01:00:30:C1:57:44:09. My question
  > is, do I need to enter that extra pair in my host records for OES Linux
  > DHCP? If I do or don't, does it matter?
  Whilst I've seen this with NetWare-based DHCP the DHCP on OES Linux uses
  different objects and is provided by ISC DHCP which does not have this -
  my DHCP hosts are configured just with MAC address.
  If you examine a dhcpHost object in ConsoleOne - clicking the Other tab
  should show the dhcpHWAddress attribute has the value "ethernet
  01:23:45:67:89:ab" (where 01:23:45:67:89:ab is MAC address).
  > The reason I'm asking is that many of my older printers and even some
  > of the newer ones are not picking up an address from the new DHCP server
  > when the old one expires.
  Just printers or other types of devices too?
  If printers, particularly HP ones, check that they're set to pick up IP
  details via DHCP and not BOOTP. Yes should still work but we've seen
  problems here.
  HTH.
  Simon
  Novell Knowledge Partner (NKP)
  Do you work with Novell technologies at a university, college or school?
  If so, your campus could benefit from joining the Novell Technology
  Transfer Partners (TTP) group. See www.novell.com/ttp for more details.

• How to get imei number and mac address of mobile device on adf mobile

  Hi experts,
  I need to get imei number and mac address of device (supposed to be works on both android and iphone) on adf mobile
  bgrds

  Hi,
  Adf mobile support phonegap api. Version must be 2.0(you can check it by below code snippet) You can just reach uuid from both platform via cordova. Espescially, IOS restriction limits you to get device infos that you mentioned, but you can get uuid.
     getCordovaVersion = function ()
          var cordovaVersion = device.cordova;
          return cordovaVersion;
      getDeviceUUID = function ()
          var uuid = device.uuid;
          return uuid;

• Cisco ACS 5.1 and MAC address identification/quarantining

  A client is rolling out ACS 5.1, with the eventual intent of customization network access based on Active Directory credentials (user/group, etc) – ACL’s and VLAN restrictions will be implemented as part of a “2nd phase” deployment.   For NOW, all they want is the ability to isolate devices connecting to the network by MAC address, meaning: if it’s a recognized MAC address (corporate asset), then allow full access through the port.  If it’s NOT a recognized MAC address (non-corporate asset), then place it in the guest network/VLAN.
  I’m familiar with ACS operation, configuration of policies and authorization rules, and MAC Authentication Bypass (for devices that should not have to authenticate to gain access).  What I don’t know for sure (and haven’t yet been able to find), is if ACS has the ability to react simply to the MAC address and quarantine that host into a guest network.
  Please confirm, and as always, reference links/docs are appreciated.

  Hi,
  The goal you want to achieve is possible but not with MAB.
  What you want can easily be done if you do machine authentication rather then MAB.
  With machine authentication you can have something called Machine Access Restriction, which mean that both machine and user authentication has to be done, for the user to have access to the network.
  In this scenario, whenever a user tries to log in via dot1x, the ACS checks the machine on which the user is logging in, and the user authentication is only successfull if the machine authentication was successfull.
  For this to work you have to register the machines in the domain as well as the users.
  Machines that do not exist on the domain, will fail machine authentication, and no user will be allowed to login in that machine.
  To configure this on the ACS you simply have to go to the Authorization part of the Access Policy, clic "Customize" and add the "Condition" "Was machine authenticated", as I show in the image below:
  Then, you create a new Rule and this Condition will be available:
  On the client side you need to make sure that they do dot1x machines authentication.
  This allows you a very fast way of securing both machines and users, so that only trusted machines (that exist in the domain) are allowed on the network and users can only access network by logging in from a trusted machine.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Keep losing my wireless and mac addresses wont hold

  For some reason, i could not delete or add any mac addresses to the aebs, which i have been using for the past couple years, so i did a hard reset on the unit. Now i have not added any security yet and the aebs keeps dropping my wireless connections. Any ideas?

  To perform a Factory Default Reset......
  Pull the power plug from the back of the AirPort Extreme
  Wait 2-3 minutes
  Hold in the reset button and keep holding it for 10-12 seconds while you plug the power back in to the Extreme
  Release the reset button after the 10-12 hold period and allow 25-30 seconds for the Extreme to come back up to a slow blinking amber light
  Before you start to reconfigure the Extreme again, power down your modem for 5-10 minutes, then restart it.

• SG300 inter-VLAN routing and MAC address changes in incoming packets

  Hello
  I have SG300-20 working in Layer3 mode
  VLAN1 is not used
  Internet gateway is in VLAN211
  Clients are in other VLANs
  Switch is default gateway for clients and itself has internet gateway as default route.
  MAC address of switch is XX:XX:XX:XX:XX:63
  When client sends trafic to Internet destination MAC address in outgoing packets is XX:XX:XX:XX:XX:63
  But in incoming packets source MAC address is XX:XX:XX:XX:XX:69
  Why does it change? And how can I setup switch to use only XX:XX:XX:XX:XX:63 MAC address?

  Hi Robert,
  I'd like to pick up this old thread because we have a huge problem with the behavior of the SG300 router/switch regarding the "spoofed" MAC source addresses. We have connected this switch to another router which has some special routing capabilities. It routes certain IP packets directly to MAC addresses which it learned from snooping on special traffic.
  When connected to a SG300 router with an Ethernet base address of XX:XX:XX:XX:XX:48 we receive packets with Ethernet source addresses like e. g. XX:XX:XX:XX:XX:49 or XX:XX:XX:XX:XX:4D (depending on which hardware port they came from). Our special router "learns" these MAC addresses and tries to send associated outgoing packets directly to these addresses using e. g. XX:XX:XX:XX:XX:49 as the MAC destination address.
  Our problem is that the SG300 does not forward the packet if the MAC destination address is not equal to the switch's Ethernet base address (XX:XX:XX:XX:XX:48 in our case). This renders the SG300 series useless for our systems.
  Is there new firmware available which fixes this problem for us? We don't care which MAC source address the SG300 uses in incoming packets we receive, but we expect that the SG300 handles packets correctly for outgoing packets we send with this MAC address as the destination address.
  Thanks,
  Chris

• Looking for my computer name and mac address.  Where do i find them?

  I think this should be straightforward.  Where would I find my Mac Address and name of my computer?  I want to tether with my phone and need to give my phone this info.
  Thanks in Advance.
  Deb

  Your Computer Name is found in the Sharing preferences at the top. For your MAC address open Network preferences, select your desired port such as Wireless then click on the Advanced button. Click on the Hardware tab. You will find it there.

• Bind interfaces and mac addresses

  I have a server with arch linux installed.
  The server has 2 interfaces, and my problem is that sometimes, whenever I reboot the server, I find that the interface names switch - I.E., what was eth0 is now eth1 and vice versa...
  Of course, this is a major connectivity problem, which forces me to reboot again, and hope that this time Arch will "get it right"...
  I also have several centos/redhat servers in which i found it pretty simple to just add the HWADDR to the ifcfg.ethX file, but i couldn't find anyplace where i can bind the interfaces to a specific mac address in Arch...
  Anyone had the same problem before?

  attila wrote:
  These may be in a future version of Arch's network scripts
  I use udev to get a specific name for my network:
  KERNEL=="eth*", SYSFS{address}=="MAC_ADRESS", NAME="lan"
  This works about a half year without any problems so i hope there will be a warning before doing this because than perhaps i have to change my configuration.
  the udev method will continue to work as long as udev doesnt change it's syntax. the method i've suggested will not replace it, rather it will work alongside it.
  James

• IPhone contacts and Mac address book don't sync

  If I add an entry on the phone and later sync with the mac the new entry doesn't show up in the Mac address book.  If I delete a contact on the Mac address book it doesn't delete on the iPhone.
  I have the right choices made (at least I think I do) in itunes under "info".
  Rocky63

  Not without syncing on connection via USB.
  As you have an iPhone 3G you cannot install iOS 5 and make use of iCloud.
  iCloud would update entries you make on one device appear on the other.
  For iCloud you need a device on iOS 5 and 10.7.2 for your Mac.

• Airport Utility and MAC addresses - Leopard

  Hello,
  I recently upgraded to Leopard from Tiger, and cannot stress how much I hate this new Airport Utility. It's like Apple tried to simplify the process so much so that it is bordering on extremely annoying. My biggest problem is the removal of the ability to import/export MAC address access lists (.txt file). Lately, I've had to hard reset my AirPort Extreme and Express (as WDS) base stations a few times due to problems, and let me tell you, re-inputting 14 MAC addresses one by one into each base station can be pretty annoying due to the time it takes...especially when all I had to do before was import it from my documents folder.
  Why was this feature removed...? I just don't get it. It's such a simple thing and makes life so much easier. I was wondering if anyone knows a way around this? Is it possible to use or install the Aiport Admin Utility from Tiger onto Leopard so that can get this feature back?
  Many thanks.

  You can download Airport Admin Utility 4.2.5 from Versiontracker: http://www.versiontracker.com/dyn/moreinfo/macosx/15748
  It's supposed to run under Leopard. My version (4.1.1) runs just fine for me but I stopped using it after Airport Utility came out. I didn't notice they removed the MAC import / export feature until reading your post.
  Edit to add: You might like this one too:
  Airport Management Utility 1.0
  http://www.macupdate.com/info.php/id/14758
  Message was edited by: John Galt

• Rebooting fabric interconnect and mac addresses

  I rebooted the subordinate and noticed that I lose only one ping on a vm and saw that mac address show up in the primary. 
  After the subordinate came back online, I did a show mac address table on the subordinate and noticed that a bunch of mac addresses showed back on the subordinate. 
  how does ucs know what mac address to use for the subordinate  or primary when the subordinate comes back online?
  the vm that i was pinging was initially on subordinate but after the reboot, it was on the primary.
  but other mac addresses are already showing on the subordinate right after the reboot

  Register to Ciscolive365 and download BRKCOM-3003 , which has answers to all your questions.