EAP with MAC Authentication

Quick question on EAP with MAC auth....
Documentation shows that if you enable EAP with MAC, clients that do not support EAP authentication, will then be able to use MAC. Is it possible to enforce that clients use both EAP and MAC? I don't want to create a security hole by allowing clients to skip the EAP and only use MAC.
Here is the text from http://www.cisco.com that supports above. Is this true, or am I just being paranoid?
You can set up the access point to authenticate client devices using a combination of MAC-based and EAP authentication. When you enable this feature, client devices that associate to the access point using 802.11 open authentication first attempt MAC authentication; if MAC authentication succeeds, the client device joins the network. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication

I have this exact same question on a 1242 AP running c1240-k9w7-mx.123-8.JA2
I was told that it is possible on this version of IOS to select the with EAP or MAC Authentication, but I have had no success in doing so.
On a windows XP SP2 clients with the WPS-IE update installed, I disabled encryption and have open authentication selected. Nonetheless, the client continues to ask for credentials to connect to the network (I also deleted the registry Keys that store these 802.1x credentials.
Does anyone have an answer that we can use?

Similar Messages

  • WPA PSK doesn't work with MAC Authentication. AP1231G

    Hi, yesterday I've installed an Aironet Access Point 1200 series AP1231G for the first time.
    I'd like to use MAC Authentication with an WPA Pre-Shared Key. But it doesn't work. If I choose "Open Authentication with MAC Authentication", I can't type an WPA Pre-Shared Key. The system doesn't keep it.
    It only works with "Open Authentication" without MAC-Filter.
    Settings:
    Encryption Manager: TKIP
    SSID Manager
    1. Client Authentication: Open Authentication with MAC Authentication
    2. Key Managemnet: Mandatory WPA + WPA Pre-Shared-Key
    If I type in a Pre-Shared-Key and click on "Apply", the Pre-Shared-Key get loss.

    Tina,
    In Cisco IOS releases 12.3(4)JA and later, you cannot enable both MAC-address authentication and WPA-PSK.
    http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00804e7d09.html#wp1034916

  • WPA 2 with Mac authentication

    Hi all,
    I am faced with a dilemma. I have implemented a wireless network throughout our main building using wpa2 leap authenticating against Active directory. Now Security Engineer is griping that mac authentication be used in addition. The only reason I did not choose this option because I believe that the mac is transmitted with an initial packet and can be spoofed anyway not to mention the overhead of tracking all macs. Does anyone have any input on this issue that would help the argument of supporting or not supporting the authentication methods I just spoke of any help is greatly appreciated!

    Well, if your security engineer is so dead set on adding MAC address to the authentication process even though he knows that MAC address can be spoofed(it's biggest vulnerability) - good luck with changing his mind.
    I had experience with MAC authentication at the enterprise level. I used it along with WEP. Obviously there is no AD or RADIUS in place. Entire list of MAC addresses is kept on all APs to facilitate enterprise-wide roaming. Well, having a list of 300 MACs on the AP makes the authentication process painfully slow. I don't know how many clients you have and what kind of RADIUS server you are using. The impact will be different in your case.
    Apart from slow authentication process because of gigantic list of MACs, it is very hard to keep up with all MACs because of new laptops and upgraded client adapters, etc. If the users make a fuss, your Security Engineer may change his mind.
    HTH

  • PEAP with MAC authentication

    I am getting ready to deploy some access points and I am using MS PEAP with ACS and Active Directory. I was thinking about using MAC authentication as well but I noticed something. In order to get MAC authentication to work you have to put the MAC address in ACS as a user using the mac address as both the username and password. When I connect to my access point it prompts me to enter a username and password, you normally would enter your Active Directory account here but I noticed that if you just enter your MAC Address as the username and password you can get onto the network. Isnt this a security hole? An attacker could basically "sniff" the air for MAC addressess since these are not encrypted. He could then easily spoof his mac address and also use the MAC address as the username and password to gain access. Is there a way to avoid this?

    Hi,
    You could consider using Network Access Restrictions which is a form of MAC filtering and will prevent you from having to add the MAC addresses of users to your ACS database.
    This basically binds a clients MAC address to an access point, so if a user tries to log in from a different MAC address using their normal account it will be denied by ACS so you are effectively binding users to MAC addresses from allowed Access Points.
    The MAC address could probably still be sniffed however this would not be enough to allow a login to the network.
    It's configured on a per user basis
    If you edit a user, scroll down to the
    "Define CLI/DNIS-based access restrictions" and tick the box
    Select the AP to which you will permit the client MAC from in the "AAA Client" drop down
    enter "*" for the port
    and enter the MAC address in the Address field
    I can't quite remeber the format of the mac address but i think it need to be in HHHH.HHHHH.HHHH
    There's a white paper on it here:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
    HTH
    Paddy

  • Can't send in Apple Mail with .Mac - authentication problem

    I use Entourage on my laptop for my business account and Apple Mail on my laptop for my .mac account. Sometimes when I travel and am using hotel and Tmobile wireless hotspots, I have to turn off password authentication for my SMTP server in order to send mail. This works like a champ in Entourage, but when I try to turn off password authentication in Mail for my .Mac account, it automatically still tries to authenticate! This results in me not being able to send .Mac mail. I tested this in Entorage on my .Mac account, turned off authentication for smtp.mac.com and it works, so this is definitely an Apple Mail problem specific to .Mac. Has anyone else experienced this? Is there a fix? I have tried to create a new smtp.mac.com account in Apple mail that does not authenticate, but somehow it changes into an smtp account with password authentication. Help.

    I've been sending ".doc" files from both Mail and Entourage for some time without a problem.
    Having said that, is there a chance that your Internet Service Provider is somehow blocking some file types?
    I've recently come across a cpouple of European internet providers who do block executables and key file types that are known to cause problems or that might contain viruses/trojans.

  • WPA2-PSK with open MAC authentication

    Can anyone help me with the configuration of Autonomous ap with WPA2-PSK with mac authentication..?
    I tried configuring and created 700 ACL. But its not working

    once i enable mac authentication "wpa-psk ascii 7 06020C234D1F5B4A511416" dissappears. :(
    Model: AIR-SAP1602E-N-K9
    IOS: ap1g2-k9w7-mx.152-2.JB2/ap1g2-k9w7-mx.152-2.JB2
    Getting Error: WPA-PSK not supported with MAC address authentication configured

  • Cisco aironet 1040: create wireless with wpa2 and mac authentication

    Hi,
    I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
    I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
    Can anyone help me? thanks
    Hi,
    I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
    I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
    Can anyone help me? thanks

    ap#show configuration
    Using 2085 out of 32768 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname ap
    logging rate-limit console 9
    aaa new-model
    aaa group server radius rad_eap
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login default local
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    dot11 syslog
    dot11 ssid Svez
       authentication open mac-address mac_methods
       authentication key-management wpa version 2
    username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
    username 00907a0f2a55 autocommand exit
    username administrator privilege 15 password 7 033449040A0620425A0D15564F42
    username 0025d3db778b password 7 055B565D74481D0D1B52404A09
    username 0025d3db778b autocommand exit
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption mode ciphers tkip
    ssid Svez
    antenna gain 0
    station-role root
    world-mode legacy
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface GigabitEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    no keepalive
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address dhcp client-id GigabitEthernet0
    no ip route-cache
    ip http server
    ip http authentication aaa
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    radius-server attribute 32 include-in-access-req format %h
    radius-server vsa send accounting
    bridge 1 route ip
    line con 0
    line vty 0 4
    end
    ap#

  • IAS and MAC authentication

    Hi, I´m having some trouble to authenticate the users with EAP and MAC authentication, i´m using IAS server and the EAP authentication is working well, but when I configure the MAC and EAP authentication, it doesn´t connect to the clients.
    Any idea how can I solve this problem??
    Thansk

    I think MAC authentication is not supported in IAS , you can do MAC address filtering on AP

  • MAC Authentication on autonomous APs

    Hi!
    Has anyone here tried MAC authentication using Aironet 1200 series? If so, can you please tell me how to do it? Because I've been trying to make it work and it just won't work. Thanks!
    Regards

    Hi,
    Are you talking about radius mac-authentication ?
    The steps to configure MAC authentication on the ACS server and AP :
    [1] GO to Server Manager
    In the Corporate Servers -->Current Server List
    -- Select the Radius Server in the drop down.
    -- Specify the Server IP address in the Server: field
    -- Specify the Shared Secret in the Shared Secret: field
    -- Set the Authentication Port (optional): 1645 and the Accounting Port (optional): 1646
    - click on Apply
    -- In the Default Server Priorities aand under MAC Authentication
    -- In the drop down Priority 1: select the IP address of the ACS server and click on Apply
    [2] Goto SSid MAnager
    -- Select the ssid, In case a new SSID needs to be created create a new ssid.
    -- In Authentication Settings --> Methods Accepted: --> check on Open Authentication:
    --> Select with Mac Authentication from the drop down menu.
    - Click on the Apply all button to save this setting
    [3] Goto Advanced Security
    -- In the MAC Address Authentication -->MAC Addresses Authenticated by:
    -- Select Authentication Server Only and click on Apply
    On the ACS server Create Users with user names and password set to the MAC address of the
    clients. These user names/passwords should NOT have any spaces or dots in between them..
    Regards,
    ~JG

  • Intel Mac OS X can't connect using 802.1x with TTLS authentication

    To login at the wireless network on my school I use the following settings:
    802.1x connection with TTLS authentication and TTLS inner authentication set to PAP.
    My MacBook Pro logs in, but has a self assigned ip-address and I can't use the network.
    On my old iBook and my friend's Powerbook with exact the same settings it works perfect. (and gets an assigned ip-address throug DHCP.
    Bug in the Intel version of Mac OS X I guess?

    Regarding the post about other intel macs being unaffected, I don't have an imac so I don't know for sure, but the connectivity problems seem to be more widely reported for the macbooks. It's certainly possible they are affected as well, but I was under the impression they were using a different chipset and/or firmware. (note to self, check on that).
    What I cant understand is why they have changed the
    airport express card for the intel macs, albeit the
    processor has changed but that shouldn't affect the
    card as that should be processor
    The intel macs were largely designed by intel. I suspect that apple provided case dimensions and a specifications list which intel then used for the designs. The wireless cards in the powerbooks were based (iirc) on a pc-card bus. The older airports were based on PCMCIA-16.
    In the macbooks, it appears to be a mini-PCI-express. (I had to send my back for noise issues. ASP might tell you what bus it connects to). The benefit to this is better speed and the possibility of future expansion. Dell uses the same connector.
    Some side-benefits of having the board designed by intel (or with heavy intel involvement) is that we can already dual-boot windows XP. Wireless seems to work fine if you run windows on the macbook. Therefore, I think this is a driver issue likely to be resolved sooner rather than later.

  • 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication

    I am a network administrator at seven schools, and a few of these schools are now using 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication  only, for wireless security. 
    We are a mixture of 2008 and 2003 (Windows Domain) servers running IAS or NPS for RADIUS.  
    I push out the wireless client’s setting via group policy, and the clients are using WZC. 
    Every now and then, a client will be unable to authenticate/validate during the authentication phase. 
    Some clients this will never happen to and a few it will happen repeatedly. 
    To fix this I have to hard wire the computer and do a gpupdate, even though the computer already had the updates applied previously, and is still part of the domain. 
    Many of our classrooms lack network drops, so wireless is the best for us. 
    Except for this one downfall, it is working great. Any help is appreciated.

    Hi Ryan,
    Thanks for posting here.
    Could you discuss the situation that you mentioned “a client will be unable to authenticate/validate during the authentication phase. 
    Some clients this will never happen to and a few it will happen repeatedly. ”
      in detail ? Can you verify if there is any error or warring that relate with this authentication issue recorded in event log on client and radius server ?
    Only certain computers are facing this issue or all?
    What’s OS running on these client computers?
    According the situation right now , I’d like to share some suggections with you:
    1. An 802.1x client may fail to connect to an Radius server if the Trusted Root CA certificate that issued the Radius server certificate is not installed on
    the client computer. Either verify that the trusted root authority is installed on the client computer or disable certificate validation on the client. To disable certificate validation, access the properties of the connection, and on the Authentication tab,
    click Properties. Click to clear the Validate server certificate check box. EAP-TLS requires the installation of a computer certificate on each RADIUS server and a computer or user certificate, or smart card on all clients. PEAP-MS-CHAPv2 requires the installation
    of a computer certificate on each RADIUS server and the root CA certificates of the issuing CAs of the RADIUS server certificate on each of the client computers.
    2. Verify that Radius is configured for the logging of rejected authentication attempts to the event log. Try the connection again, and then check the system
    event log for an IAS event for the failed connection attempt. Use the information in the log to determine the reason the connection attempt was either rejected or discarded. Logging options are configured on the General tab of the Radius server Properties
    dialog.
    3. Any rejected or discarded connection attempt recorded should identify the Connection Request Policy used. A RADIUS request message is processed only if the
    settings of the incoming RADIUS request message match at least one of the connection request policies. Examine the conditions of the policy identified to see where the request fails.
    4. Determine from the IAS system event log entries whether the authentication failure is for computer auth, user auth, or both. By default, Windows performs
    an 802.1x authentication with computer credentials before displaying the Windows logon screen. Another authentication with user credentials is performed after the user has logged on, and if this fails the machine will be disconnected from the network. Similarly,
    if computer authentication fails but user auth is successful, symptoms will include failure to process login scripts or apply group policies and machine password expiration will not be updated since the user will only be able to logon with cached credentials.
    If you use a smart card for authentication, you can only perform user authentication because smart card usage requires manual entry of a personal identification number (PIN). There is no way to provide the PIN to unlock the smart card certificate during computer
    authentication.
    5. Examine the wireless trace logs captured and search for keywords error, failed, failure, or rejected. This should give an indication as to what point in the
    authentication process the failure occurs.
    Meanwhile, I ‘d like suggest you may start troubleshooting with following the guides below and see if it will help:
    Windows Server 2003 Wireless Troubleshooting
    http://technet.microsoft.com/en-us/library/cc773359(WS.10).aspx
    Troubleshooting Windows Vista 802.11 Wireless Connections
    http://technet.microsoft.com/en-us/library/cc766215(WS.10).aspx
    Thanks.
    Tiger Li
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact
    [email protected]
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Random computers running Windows XP have this problem.  It does not happen to all of them at once. 
    It is very random.  A computer that has been connecting to the secure network for weeks will all of a sudden not be able to connect. The message is “attempting to authenticate” and it never makes the connection. 
    I checked if logging is turned on and I can see successful events from computers that are working. 
    I can also see failed events from computers that are not ours that tried to connect to our wireless. 
    However for the computers that are having this problem there are no logged events. 
    It is as if they don’t even communicate with the server. 
    Other clients on the same AP are working fine.  I rebooted the IAS service, and RADIUS clients, but this did not help. 
    I also checked all the settings and they are correct, using PEAP, and validating the server certificate is disabled. 
    I did notice that the firewall is also turned on through group policy when the domain is not available.
       Do you think the firewall is blocking the communication? 
    I added an exception to port 1812 UDP and this did not make a difference.

  • 802.1x authentication with mac address

    Hi guys,
    there is a strange requirement from one of our customer,
    they want us to do 802.1x with mac address authentication and they dont want the pop-ups which ask
    for username, password and domain.
    is it possible??
    can i avoid popping up the username password with 802.1x and that too with mac address???
    Any help would be greatly appreciated
    Thanks
    Jvalin

    Hi,
    The feature which you are looking for is possible in case of wired 802.1x. This feature is called as the MAC-Auth Bypass and is done mostly if the client machine is not 802.1x capable. However nowerdays it is used even if the machine is 802.1x capable.In this we enter the MAC address of the machine in the user database e.g. Active Directory. When you connect the client machine to the Switch, if we have MAC-Auth Bypass enabled on the port, it would take the MAC address of the machine as the username without any prompt for username and password.
    A windows server admin can easily push a group policy which disables the 802.1x on the client machine and it would only respond to the MAC-Auth Bypass.But first you would have to make sure your switch has the Mac-Auth Bypass in the IOS.
    For more information, you can go to http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
    Regards,
    Kush

  • Domain authentication with mac address restrictions

    I am in a branch office and I have one WLC 5508 and one ACS 4.2 with three WLANs:
    WLAN1 with SSID1: for company computers and laptops
    WLAN2 with SSID2: for ipads and tablets
    WLAN3 with SSID3:  for guests
    I am asked to configure WLAN2 as “WLAN2: Provides the Wi-Fi connectivity to ipads and tablets, with back end security using domain authentication with mac address restrictions.

    You would need to create a seperate policy and be able to have a seperation between the two policies... It's kind of hard to explain, but you would have for example:
    Policy 1:
    Wireless user on this SSID WLAN1
    AD on this AD Group (Machine)
    Policy 2:
    Wireless user on this SSID WLAN 2
    AD on this AD Group (USer)
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • ACS 5.3, EAP-TLS Machine Authentication with Active Directory

    I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
    My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
    Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
    Evaluating Identity Policy
    15006 Matched Default Rule
    22037 Authentication Passed
    22023 Proceed to attribute retrieval
    24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
    24437 Machine not found in Active Directory
    22016 Identity sequence completed iterating the IDStores
    Evaluating Group Mapping Policy
    12506 EAP-TLS authentication succeeded
    11503 Prepared EAP-Success
    Evaluating Exception Authorization Policy
    15042 No rule was matched
    Evaluating Authorization Policy
    15006 Matched Default Rule
    15016 Selected Authorization Profile - Permit Access
    22065 Max sessions policy passed
    22064 New accounting session created in Session cache
    11002 Returned RADIUS Access-Accept
    I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
    Note: In my Identity Store Sequence, I did enable the option:
    For Attribute Retrieval only:
    If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
    but this only seems to work for internal identity stores (at least based on my testing)
    Under my Access Policy Identity tab, I configured the following Advanced features:
    Advanced Options
    If authentication failed
    RejectDropContinue
    If user not found
    RejectDropContinue
    If process failed
    RejectDropContinue
    And that didn't do anything either.
    Any ideas? Thanks in advance.

    Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
    Then can make a rule in the authorization policy such as
    If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

  • ACS Server MAC Authentication with Windows Database

    Has anyone setup an ACS Server 3.2 for MAC authentication using Windows as the authentication. The documentation I found shows how to set it up using the CiscoSecure database. Any help would be appreciated.

    Here is the link for setting up MAC authentication using CisoSecure database. There may not be a solution for my setup, but maybe I'll keep hacking away at it and find a resolution.
    http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b3d27.shtml

Maybe you are looking for

  • IPod Won't Sync After Moving Music to New Computer

    With the help of someone here, I moved my iTunes Library from my old computer to my new one. It didn't work exactly like it was supposed to. All of my music is on my new computer and in my iTunes library, but my playlists, counts etc. are gone. Whate

  • Premiere Pro Quitting Repeatedly

    I have a MacBook Pro, 16GB Ram, 2.7 GHZ, running OS 10.9.5 with the most recent update to Premiere Pro CC 2014. I'm working with FS700 AVCHD .mts files off of my Lacie 6TB Thunderbolt external hard drive along with an Apple Thunderbolt display. I lit

  • Full screen preview - slow set-up

    When opening a photo in full screen preview the photo appears immediately but is sharpened only after 2 seconds. This is a problem for slide-shows as here the photos are opened but not sharpened. Is there any solution?

  • HT4623 My phone is stuck on booting screen!

    When i remotely updated my phone , It restarted it and it was stuck on the booting screen. I pluged it into my computer , And it gave me the option to restore , So I just tried to restart it again and it was stuck in booting screen so i decided bette

  • How secure is the default web services?

    Just curious how secure the default web services configuration is. Would mod_security need to be installed? The server would only host 2 sites but I am concerned about basic security.