IAS and MAC authentication
Hi, I´m having some trouble to authenticate the users with EAP and MAC authentication, i´m using IAS server and the EAP authentication is working well, but when I configure the MAC and EAP authentication, it doesn´t connect to the clients.
Any idea how can I solve this problem??
Thansk
I think MAC authentication is not supported in IAS , you can do MAC address filtering on AP
Similar Messages
-
I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?
Hi Jared,
you can do this by setup the following:
Webinterface:
1. Securtiy -> Server Manager
Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
2. Securtiy -> Advanced Securtiy
In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
IOS Interface from config mode:
aaa group server radius rad_mac
server 10.20.40.37 auth-port 1645 acct-port 1646
and
aaa authentication login mac_methods group rad_mac
or
aaa authentication login mac_methods group rad_mac local (for local fallback)
I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
Better use a setup with EAP-FAST or PEAP!
I hope that helps.
Best regards,
Frank
I hope that helps. -
WLC Flexconnect with AAA and MAC authentication
hi,
i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
my question is i am having Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
one more question,
is it possible to make each AP seperate MAC filters On the WLC.
thanks
cyrilIf you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
Hope this clears you doubts!!!
Note: Please do not forget to rate and accept as solution incase the post is valid. -
Enabling 802.1x and MAC Authentication Bypass on ACS 4.2
Hi experts,
I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
ii. If it is possible, any reference that I can check on how to configure this?
The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
Hope anyone here could help me on this.
Thanks very much,
DanielWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
Urgent 802.1x and MAC-Authentication Problem
Hi all
I want to deploy the mac- authentication in my network. and I have 3000 users. In the lab the authenticatoion for the machine takes:
Vista : 15 - 20 seconds
XP : 30 - 35 seconds
Is there any way to reduce this time less than 10 seconds. My users count are 3000 will the time go bigger because of this.
Please help me.
Thanks and Best Regards
amadyWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
Wireless Guest and mac authentication
Hi all,
I want to setup a wifi guest network with mac based authentication.
I already have the guest anchor controller and the remote wlc controller (and the mobility tunnel) up and running.
However, i am uncertain where i have to program the mac addresses: on the remote wlc or on the guest controller ? (for local database mac)
It seems my authentication only works if i program the mac address of the 'remote' wlc (the wlc holding the AP).
This is a pitty, as i was hoping to centralise all "appoved" mac addresses on the guest controller and not on each individual wlc seperatly.
Also, suppose i want a radius server to validate the mac address. Which controller is going to sent the radius request ? the wlc controller
managing the AP or the guest anchor controller ?
Does the remote wlc also need to be configured with "Layer2 security: none"+"mac authentication" (the same as the anchor controller) or can i put "Layer2:none" and put the anchor controller on "Layer2: none"+mac authentication ?
regards,
GeertHi Geert,
The rule is straightforward : layer 2 is handled by foreign WLC (one holding the AP) and layer 3 handled by the anchor (the guest).
This means the anchor WLC handles the dhcp/ip address, it handles the web authentication etc ...
But only the foreign WLC knows which AP the client is associated to, it's the only one to have layer 2 information so that's the one doing layer 2 authentication (wpa psk or mac filtering).
The way to "centralize" for you would be to have the mac addresses on a radius server or to push the mac addresses on the controllers via WCS.
Hope this clarifies,
Nicolas
===
Don't forget to rate answers that you find useful -
Cisco aironet 1040: create wireless with wpa2 and mac authentication
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanks
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanksap#show configuration
Using 2085 out of 32768 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid Svez
authentication open mac-address mac_methods
authentication key-management wpa version 2
username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
username 00907a0f2a55 autocommand exit
username administrator privilege 15 password 7 033449040A0620425A0D15564F42
username 0025d3db778b password 7 055B565D74481D0D1B52404A09
username 0025d3db778b autocommand exit
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid Svez
antenna gain 0
station-role root
world-mode legacy
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
end
ap# -
Mail setup and .mac authentication
Baffled… I have been trying to setup my Mail account. I have an active .Mac account which I can access via the internet, so I know it works. I am trying to use Mail as my automatic mail for sending Aperture photos and iWeb announcements.
In going through the setup procedures in Mail I enter all the required information and the application tries to authenticate my .Mac account… it spins and spins… then an error message is received indicating “failure to connect to .Mac”. I have verified my settings with a friend who uses the same ISP, Mail and .Mac and all our settings are the same.
Is this a keychain issue, do I need to reset permissions?
Why can I access my .Mac account through Safari yet the computer can’t do it automatically?
Thanks for anyone’s assistance.So you get mail from your .Mac account not via IMAP,
but via POP3? Or what do you mean by "as for IMAP I
am not using that"?
And no, I did not talk about pinging the server
(which just sends ICMP echo requests), but about
trying to connect to the server using telnet. That's
a real big difference.
I only get mail via the web ~ Safari ~ Yahoo... .mac mail can be received and used onlt as a web application, Mial does not connect via .mac.
The problem is .Mac authentifcation when setting up a new Mail account, error message says can not verify/connect to .Mac server, yet I can access .Mac via the internet.
IMAP ~ in my system preferences for Accounts/Advanced I do not sync to any IMAP mailbox and the greyed out port is 143 nad SSL is not checked.
Terminal ~ yes it logged in, sorry if I used the wrong term "ping"... so yes it did connect. -
Hello all
WLC Appliance supports Local MAC Authentication, http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#conf
Does Virtual WLC support this too?
Thanks
FrancoHello, Franco.
Have you checked the data sheet for the Cisco Virtual WLC's security Standards? Check this link: (http://cs.co/9007qz7W).
Are you planning to switch from a WLC appliance to a virtual?
Kind regards. -
Does anyone have a step by step procedure on how to setup Windows IAS to authenticate MAC addresses for the 350, 1200, and 1300 AP?
I'm trying to accomplish the same thing. I have the AP configured to query the IAS server to authenticate MAC addresses. I cant even seem to create a remote access policy that will allow this to happen. I had this all working perfectly on a trial version of Cisco's Secure ACS and figured it would be as easy as changing the Ip addresses of the radius server int he AP config and creating a user id for each MAC on the Microsoft server.
This obviously has not worked. if anyone can offer any king of help with this I'd be thankful. -
SLES 11 and MAC Authentication using FreeRADIUS
This is our first attempt at this. Not sure if this is the correct forum. We have a SLES 11 server. We are running FreeRadius FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu. We are testing just one Cisco WAP 4410N with a Lenovo laptop. All of our WAPs are Cisco 4410N. This is our first attempt at a Radius server. We are attempting to have users authenticate to our wireless network only by using their devices MAC address. This is for a Bring Your Own Device program for our school district. This program would allow students and teachers to bring their personal devices to school and attach to our network. We cannot install anything on their devices and need control over what devices connect. Once connected they would be subject to our Internet filter applicance.
We have been following the website http://wiki.freeradius.org/Mac-Auth#Plain+Mac-Auth.
We have made all the adjustments suggested in the website. We have created the file authorized_macs. At this time we have only one MAC address in this file. In our clients.conf file we have entered the following:
client 10.0.9.77 {
secret = xxxxxxxx
shortname = 10.0.9.77
nastype = cisco
This is the IP address of our WAP. We have configured the WAP under the Wireless section:
Basic Setting SSID = RADIUS TEST SSID broadcast enabled
Security currently disabled
Connection Control set to RADIUS with the IP address of the server and the secret question.
On the server in a terminal session we run /usr/sbin/radiusd -X. Which executes without any errors. When the laptop attempt to connect it times out and no meesage appear in the terminal session on the server. Obviously the laptop is not connected.
We have also attempted to connect by adding the following to the clients.conf file with no luck.
client 10.0.8.0/21 {
secret = xxxxxxx
shortname = KAHS
Any guidance would be greatly appreciated.Originally Posted by jdelucaka
This is our first attempt at this. Not sure if this is the correct forum. We have a SLES 11 server. We are running FreeRadius FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu. We are testing just one Cisco WAP 4410N with a Lenovo laptop. All of our WAPs are Cisco 4410N. This is our first attempt at a Radius server. We are attempting to have users authenticate to our wireless network only by using their devices MAC address. This is for a Bring Your Own Device program for our school district. This program would allow students and teachers to bring their personal devices to school and attach to our network. We cannot install anything on their devices and need control over what devices connect. Once connected they would be subject to our Internet filter applicance.
We have been following the website Mac Auth.
We have made all the adjustments suggested in the website. We have created the file authorized_macs. At this time we have only one MAC address in this file. In our clients.conf file we have entered the following:
client 10.0.9.77 {
secret = xxxxxxxx
shortname = 10.0.9.77
nastype = cisco
This is the IP address of our WAP. We have configured the WAP under the Wireless section:
Basic Setting SSID = RADIUS TEST SSID broadcast enabled
Security currently disabled
Connection Control set to RADIUS with the IP address of the server and the secret question.
On the server in a terminal session we run /usr/sbin/radiusd -X. Which executes without any errors. When the laptop attempt to connect it times out and no meesage appear in the terminal session on the server. Obviously the laptop is not connected.
We have also attempted to connect by adding the following to the clients.conf file with no luck.
client 10.0.8.0/21 {
secret = xxxxxxx
shortname = KAHS
Any guidance would be greatly appreciated.
And your windows machine is set to: Authenticate as computer when computer information is available?
Microsoft Corporation
Thomas -
MAC authentication, 1200 WAP's, IAS
I am setting up WPA and MAC authentication on a number of 1200 series access points. In my testing, I've got WPA/EAP working fine with username and password, but I'd like to add MAC filtering as well using IAS, but can't get it to work.
I think the problem lies with the MAC "username" and "password" that the AP passes to IAS. Is both the username AND password the MAC of the wireless client NIC?
Thanks,
JasonThanks, but I've searched Google quite a bit and not found the answer. I've also read the article you posted. In fact it is that article I used to create the initial setup.
The article, however, states that the Cisco AP passes the shared secret to IAS/AD as the password for the MAC "username" in AD, but that does not appear to be the case. I am getting bad username or password in my IAS logs, but I know the username is set correctly as the AP passes it to the IAS logs and it matches what I've created in AD for username, so I believe it is a password issue. -
Cisco ACS 5.1 and MAC address identification/quarantining
A client is rolling out ACS 5.1, with the eventual intent of customization network access based on Active Directory credentials (user/group, etc) – ACL’s and VLAN restrictions will be implemented as part of a “2nd phase” deployment. For NOW, all they want is the ability to isolate devices connecting to the network by MAC address, meaning: if it’s a recognized MAC address (corporate asset), then allow full access through the port. If it’s NOT a recognized MAC address (non-corporate asset), then place it in the guest network/VLAN.
I’m familiar with ACS operation, configuration of policies and authorization rules, and MAC Authentication Bypass (for devices that should not have to authenticate to gain access). What I don’t know for sure (and haven’t yet been able to find), is if ACS has the ability to react simply to the MAC address and quarantine that host into a guest network.
Please confirm, and as always, reference links/docs are appreciated.Hi,
The goal you want to achieve is possible but not with MAB.
What you want can easily be done if you do machine authentication rather then MAB.
With machine authentication you can have something called Machine Access Restriction, which mean that both machine and user authentication has to be done, for the user to have access to the network.
In this scenario, whenever a user tries to log in via dot1x, the ACS checks the machine on which the user is logging in, and the user authentication is only successfull if the machine authentication was successfull.
For this to work you have to register the machines in the domain as well as the users.
Machines that do not exist on the domain, will fail machine authentication, and no user will be allowed to login in that machine.
To configure this on the ACS you simply have to go to the Authorization part of the Access Policy, clic "Customize" and add the "Condition" "Was machine authenticated", as I show in the image below:
Then, you create a new Rule and this Condition will be available:
On the client side you need to make sure that they do dot1x machines authentication.
This allows you a very fast way of securing both machines and users, so that only trusted machines (that exist in the domain) are allowed on the network and users can only access network by logging in from a trusted machine.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Hello Everyone,
I have an issue with my Cisco 1602 WAP. I am trying to configure the WPA-PSK and MAC authentication on local RADIUS but I don't know why it doesn't work and client can bypass the MAC authentication. below is partial configuration:
dot11 ssid WLAN
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 XXX
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 20 mode ciphers aes-ccm
ssid WLAN
antenna gain 0
stbc
beamform ofdm
mbssid
channel 2462
station-role root
interface Dot11Radio0.20
encapsulation dot1Q 20 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface BVI1
ip address 10.133.16.2 255.255.255.128
no ip route-cache
adius-server local
nas 10.133.16.2 key 7 10.133.16.2
group MAC
vlan 20
ssid WLAN
block count 3 time infinite
reauthentication time 1800
user 54724f80421c password 54724f80421c group MAC
Further information can be provided by request.
Cheers,
Parhamwhat are you trying to accomplish?
With the PSK you aren't telling the client it needs to do .1x auth for the Mac authentication.
If you are just trying to keep some clients off the wireless, I would take a look at doing a MAC ACL (ACL 700)
HTH,
Steve -
Mac authentication by IAS in WAP4410N
I have a access point model WAP4410N , I want to configure for mac authentication by using MS IAS , but when I set MY SSID to radius in wireless connection control and try to connect to that SSID by a labtop I didn't get any logs in my IAS , anybody knows when this problem happened ? my methods for radius mac authentication is correct or not ?
Did you define the AP as a client in the IAS?
Steve
Sent from Cisco Technical Support iPhone App
Maybe you are looking for
-
How to retrieve image from XML file
Hi All, I am new to XML. So any best guidance is appreciated. The application requirement is to display image retrived from uploaded xml file in file upload section of our application. And store that image in database. In my XML file , images & strin
-
I typed in my password for my home's wifi,it shows a full signal yet when i go to safari it says cannot find server.youtube doesn't work either.
-
Table Data Alignment issue in DW CS4
Hi, I'm creating a web site in DW CS4. I'm trying to align my table that I created for my contact form. I got it like I want it except for one slight issue: my submit button is not aligning with the rest of the form elements. I'm not sure how to add
-
Needed configuration /business scenario for PSCD-FICA
Hi I am new to PSCD-FICA , Can anybody plz give me the steps of configuration / business blueprints /sample business scenario ? Regards Rahul
-
Is it possible to use a i-phone in South Africa that was purchased in USA?
Question: Is it possible to use a i-phone in South Africa that was purchased in USA?