IAS and MAC authentication

Hi, I´m having some trouble to authenticate the users with EAP and MAC authentication, i´m using IAS server and the EAP authentication is working well, but when I configure the MAC and EAP authentication, it doesn´t connect to the clients.
Any idea how can I solve this problem??
Thansk

I think MAC authentication is not supported in IAS , you can do MAC address filtering on AP

Similar Messages

  • WPA2 and mac authentication

    I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?

    Hi Jared,
    you can do this by setup the following:
    Webinterface:
    1. Securtiy -> Server Manager
    Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
    2. Securtiy -> Advanced Securtiy
    In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
    IOS Interface from config mode:
    aaa group server radius rad_mac
    server 10.20.40.37 auth-port 1645 acct-port 1646
    and
    aaa authentication login mac_methods group rad_mac
    or
    aaa authentication login mac_methods group rad_mac local (for local fallback)
    I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
    Better use a setup with EAP-FAST or PEAP!
    I hope that helps.
    Best regards,
    Frank
    I hope that helps.

  • WLC Flexconnect with AAA and MAC authentication

    hi,
    i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
    my question is i am having  Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
    My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
    one more question,
    is it possible to make each AP seperate MAC filters On the WLC.
    thanks
    cyril

    If you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
    In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
    Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
    Hope this clears you doubts!!!
    Note: Please do not forget to rate and accept as solution incase the post is valid.

  • Enabling 802.1x and MAC Authentication Bypass on ACS 4.2

    Hi experts,
    I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
    i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
    Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
    ii. If it is possible, any reference that I can check on how to configure this?
    The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
    Hope anyone here could help me on this.
    Thanks very much,
    Daniel

    With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
    Specific info is here:
    <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
    Hope this helps,

  • Urgent 802.1x and MAC-Authentication Problem

    Hi all
    I want to deploy the mac- authentication in my network. and I have 3000 users. In the lab the authenticatoion for the machine takes:
    Vista : 15 - 20 seconds
    XP : 30 - 35 seconds
    Is there any way to reduce this time less than 10 seconds. My users count are 3000 will the time go bigger because of this.
    Please help me.
    Thanks and Best Regards
    amady

    With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
    Specific info is here:
    <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
    Hope this helps,

  • Wireless Guest and mac authentication

    Hi all,
    I want to setup a wifi guest network with mac based authentication.
    I already have the guest anchor controller and the remote wlc controller (and the mobility tunnel) up and running.
    However, i am uncertain where i have to program the mac addresses: on the remote wlc or on the guest controller ? (for local database mac)
    It seems my authentication only works if i program the mac address of the 'remote' wlc (the wlc holding the AP).
       This is a pitty, as i was hoping to centralise all "appoved" mac addresses on the guest controller and not on each individual wlc seperatly.
    Also, suppose i want a radius server to validate the mac address. Which controller is going to sent the radius request ? the wlc controller
    managing the AP or the guest anchor controller ?
    Does the remote wlc also need to be configured with "Layer2 security: none"+"mac authentication" (the same as the anchor controller) or can i put "Layer2:none" and put the anchor controller on "Layer2: none"+mac authentication ?
    regards,
    Geert

    Hi Geert,
    The rule is straightforward : layer 2 is handled by foreign WLC (one holding the AP) and layer 3 handled by the anchor (the guest).
    This means the anchor WLC handles the dhcp/ip address, it handles the web authentication etc ...
    But only the foreign WLC knows which AP the client is associated to, it's the only one to have layer 2 information so that's the one doing layer 2 authentication (wpa psk or mac filtering).
    The way to "centralize" for you would be to have the mac addresses on a radius server or to push the mac addresses on the controllers via WCS.
    Hope this clarifies,
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • Cisco aironet 1040: create wireless with wpa2 and mac authentication

    Hi,
    I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
    I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
    Can anyone help me? thanks
    Hi,
    I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
    I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
    Can anyone help me? thanks

    ap#show configuration
    Using 2085 out of 32768 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname ap
    logging rate-limit console 9
    aaa new-model
    aaa group server radius rad_eap
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login default local
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    dot11 syslog
    dot11 ssid Svez
       authentication open mac-address mac_methods
       authentication key-management wpa version 2
    username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
    username 00907a0f2a55 autocommand exit
    username administrator privilege 15 password 7 033449040A0620425A0D15564F42
    username 0025d3db778b password 7 055B565D74481D0D1B52404A09
    username 0025d3db778b autocommand exit
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption mode ciphers tkip
    ssid Svez
    antenna gain 0
    station-role root
    world-mode legacy
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface GigabitEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    no keepalive
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address dhcp client-id GigabitEthernet0
    no ip route-cache
    ip http server
    ip http authentication aaa
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    radius-server attribute 32 include-in-access-req format %h
    radius-server vsa send accounting
    bridge 1 route ip
    line con 0
    line vty 0 4
    end
    ap#

  • Mail setup and .mac authentication

    Baffled… I have been trying to setup my Mail account. I have an active .Mac account which I can access via the internet, so I know it works. I am trying to use Mail as my automatic mail for sending Aperture photos and iWeb announcements.
    In going through the setup procedures in Mail I enter all the required information and the application tries to authenticate my .Mac account… it spins and spins… then an error message is received indicating “failure to connect to .Mac”. I have verified my settings with a friend who uses the same ISP, Mail and .Mac and all our settings are the same.
    Is this a keychain issue, do I need to reset permissions?
    Why can I access my .Mac account through Safari yet the computer can’t do it automatically?
    Thanks for anyone’s assistance.

    So you get mail from your .Mac account not via IMAP,
    but via POP3? Or what do you mean by "as for IMAP I
    am not using that"?
    And no, I did not talk about pinging the server
    (which just sends ICMP echo requests), but about
    trying to connect to the server using telnet. That's
    a real big difference.
    I only get mail via the web ~ Safari ~ Yahoo... .mac mail can be received and used onlt as a web application, Mial does not connect via .mac.
    The problem is .Mac authentifcation when setting up a new Mail account, error message says can not verify/connect to .Mac server, yet I can access .Mac via the internet.
    IMAP ~ in my system preferences for Accounts/Advanced I do not sync to any IMAP mailbox and the greyed out port is 143 nad SSL is not checked.
    Terminal ~ yes it logged in, sorry if I used the wrong term "ping"... so yes it did connect.

  • VWLC and Mac Authentication

    Hello all
    WLC Appliance supports Local MAC Authentication, http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#conf
    Does Virtual WLC support this too?
    Thanks
    Franco

    Hello, Franco. 
    Have you checked the data sheet for the Cisco Virtual WLC's security Standards? Check this link: (http://cs.co/9007qz7W). 
    Are you planning to switch from a WLC appliance to a virtual?
    Kind regards. 

  • IAS for MAC authentication

    Does anyone have a step by step procedure on how to setup Windows IAS to authenticate MAC addresses for the 350, 1200, and 1300 AP?

    I'm trying to accomplish the same thing. I have the AP configured to query the IAS server to authenticate MAC addresses. I cant even seem to create a remote access policy that will allow this to happen. I had this all working perfectly on a trial version of Cisco's Secure ACS and figured it would be as easy as changing the Ip addresses of the radius server int he AP config and creating a user id for each MAC on the Microsoft server.
    This obviously has not worked. if anyone can offer any king of help with this I'd be thankful.

  • SLES 11 and MAC Authentication using FreeRADIUS

    This is our first attempt at this. Not sure if this is the correct forum. We have a SLES 11 server. We are running FreeRadius FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu. We are testing just one Cisco WAP 4410N with a Lenovo laptop. All of our WAPs are Cisco 4410N. This is our first attempt at a Radius server. We are attempting to have users authenticate to our wireless network only by using their devices MAC address. This is for a Bring Your Own Device program for our school district. This program would allow students and teachers to bring their personal devices to school and attach to our network. We cannot install anything on their devices and need control over what devices connect. Once connected they would be subject to our Internet filter applicance.
    We have been following the website http://wiki.freeradius.org/Mac-Auth#Plain+Mac-Auth.
    We have made all the adjustments suggested in the website. We have created the file authorized_macs. At this time we have only one MAC address in this file. In our clients.conf file we have entered the following:
    client 10.0.9.77 {
    secret = xxxxxxxx
    shortname = 10.0.9.77
    nastype = cisco
    This is the IP address of our WAP. We have configured the WAP under the Wireless section:
    Basic Setting SSID = RADIUS TEST SSID broadcast enabled
    Security currently disabled
    Connection Control set to RADIUS with the IP address of the server and the secret question.
    On the server in a terminal session we run /usr/sbin/radiusd -X. Which executes without any errors. When the laptop attempt to connect it times out and no meesage appear in the terminal session on the server. Obviously the laptop is not connected.
    We have also attempted to connect by adding the following to the clients.conf file with no luck.
    client 10.0.8.0/21 {
    secret = xxxxxxx
    shortname = KAHS
    Any guidance would be greatly appreciated.

    Originally Posted by jdelucaka
    This is our first attempt at this. Not sure if this is the correct forum. We have a SLES 11 server. We are running FreeRadius FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu. We are testing just one Cisco WAP 4410N with a Lenovo laptop. All of our WAPs are Cisco 4410N. This is our first attempt at a Radius server. We are attempting to have users authenticate to our wireless network only by using their devices MAC address. This is for a Bring Your Own Device program for our school district. This program would allow students and teachers to bring their personal devices to school and attach to our network. We cannot install anything on their devices and need control over what devices connect. Once connected they would be subject to our Internet filter applicance.
    We have been following the website Mac Auth.
    We have made all the adjustments suggested in the website. We have created the file authorized_macs. At this time we have only one MAC address in this file. In our clients.conf file we have entered the following:
    client 10.0.9.77 {
    secret = xxxxxxxx
    shortname = 10.0.9.77
    nastype = cisco
    This is the IP address of our WAP. We have configured the WAP under the Wireless section:
    Basic Setting SSID = RADIUS TEST SSID broadcast enabled
    Security currently disabled
    Connection Control set to RADIUS with the IP address of the server and the secret question.
    On the server in a terminal session we run /usr/sbin/radiusd -X. Which executes without any errors. When the laptop attempt to connect it times out and no meesage appear in the terminal session on the server. Obviously the laptop is not connected.
    We have also attempted to connect by adding the following to the clients.conf file with no luck.
    client 10.0.8.0/21 {
    secret = xxxxxxx
    shortname = KAHS
    Any guidance would be greatly appreciated.
    And your windows machine is set to: Authenticate as computer when computer information is available?
    Microsoft Corporation
    Thomas

  • MAC authentication, 1200 WAP's, IAS

    I am setting up WPA and MAC authentication on a number of 1200 series access points. In my testing, I've got WPA/EAP working fine with username and password, but I'd like to add MAC filtering as well using IAS, but can't get it to work.
    I think the problem lies with the MAC "username" and "password" that the AP passes to IAS. Is both the username AND password the MAC of the wireless client NIC?
    Thanks,
    Jason

    Thanks, but I've searched Google quite a bit and not found the answer. I've also read the article you posted. In fact it is that article I used to create the initial setup.
    The article, however, states that the Cisco AP passes the shared secret to IAS/AD as the password for the MAC "username" in AD, but that does not appear to be the case. I am getting bad username or password in my IAS logs, but I know the username is set correctly as the AP passes it to the IAS logs and it matches what I've created in AD for username, so I believe it is a password issue.

  • Cisco ACS 5.1 and MAC address identification/quarantining

    A client is rolling out ACS 5.1, with the eventual intent of customization network access based on Active Directory credentials (user/group, etc) – ACL’s and VLAN restrictions will be implemented as part of a “2nd phase” deployment.   For NOW, all they want is the ability to isolate devices connecting to the network by MAC address, meaning: if it’s a recognized MAC address (corporate asset), then allow full access through the port.  If it’s NOT a recognized MAC address (non-corporate asset), then place it in the guest network/VLAN.
    I’m familiar with ACS operation, configuration of policies and authorization rules, and MAC Authentication Bypass (for devices that should not have to authenticate to gain access).  What I don’t know for sure (and haven’t yet been able to find), is if ACS has the ability to react simply to the MAC address and quarantine that host into a guest network.
    Please confirm, and as always, reference links/docs are appreciated.

    Hi,
    The goal you want to achieve is possible but not with MAB.
    What you want can easily be done if you do machine authentication rather then MAB.
    With machine authentication you can have something called Machine Access Restriction, which mean that both machine and user authentication has to be done, for the user to have access to the network.
    In this scenario, whenever a user tries to log in via dot1x, the ACS checks the machine on which the user is logging in, and the user authentication is only successfull if the machine authentication was successfull.
    For this to work you have to register the machines in the domain as well as the users.
    Machines that do not exist on the domain, will fail machine authentication, and no user will be allowed to login in that machine.
    To configure this on the ACS you simply have to go to the Authorization part of the Access Policy, clic "Customize" and add the "Condition" "Was machine authenticated", as I show in the image below:
    Then, you create a new Rule and this Condition will be available:
    On the client side you need to make sure that they do dot1x machines authentication.
    This allows you a very fast way of securing both machines and users, so that only trusted machines (that exist in the domain) are allowed on the network and users can only access network by logging in from a trusted machine.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Configuring the Access Point 1602 IOS 15.2(2)JAX as a Local RADIUS for a MAC authenticator

    Hello Everyone,
    I have an issue with my Cisco 1602 WAP. I am trying to configure the WPA-PSK and MAC authentication on local RADIUS but I don't know why it doesn't work and client can bypass the MAC authentication. below is partial configuration:
    dot11 ssid WLAN
       vlan 20
       authentication open
       authentication key-management wpa version 2
       mbssid guest-mode
       wpa-psk ascii 7 XXX
    interface Dot11Radio0
     no ip address
     no ip route-cache
     encryption mode ciphers aes-ccm
     encryption vlan 20 mode ciphers aes-ccm
     ssid WLAN
     antenna gain 0
     stbc
     beamform ofdm
     mbssid
     channel 2462
     station-role root
    interface Dot11Radio0.20
     encapsulation dot1Q 20 native
     no ip route-cache
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface BVI1
     ip address 10.133.16.2 255.255.255.128
     no ip route-cache
    adius-server local
        nas 10.133.16.2 key 7 10.133.16.2
      group MAC
        vlan 20
        ssid WLAN
        block count 3 time infinite
        reauthentication time 1800
     user 54724f80421c  password 54724f80421c group MAC 
    Further information can be provided by request.
    Cheers,
    Parham

    what are you trying to accomplish?
    With the PSK you aren't telling the client it needs to do .1x auth for the Mac authentication.
    If you are just trying to keep some clients off the wireless, I would take a look at doing a MAC ACL (ACL 700)
    HTH,
    Steve

  • Mac authentication by IAS in WAP4410N

    I have a access point model WAP4410N , I want to configure for mac authentication by using MS IAS , but when I set MY SSID to radius in wireless connection control and try to connect to that SSID by a labtop I didn't get any logs in my IAS , anybody knows when this problem happened ? my methods for radius mac authentication is correct or not ?

    Did you define the AP as a client in the IAS?
    Steve
    Sent from Cisco Technical Support iPhone App

Maybe you are looking for