IAS for MAC authentication
Does anyone have a step by step procedure on how to setup Windows IAS to authenticate MAC addresses for the 350, 1200, and 1300 AP?
I'm trying to accomplish the same thing. I have the AP configured to query the IAS server to authenticate MAC addresses. I cant even seem to create a remote access policy that will allow this to happen. I had this all working perfectly on a trial version of Cisco's Secure ACS and figured it would be as easy as changing the Ip addresses of the radius server int he AP config and creating a user id for each MAC on the Microsoft server.
This obviously has not worked. if anyone can offer any king of help with this I'd be thankful.
Similar Messages
-
Hi, I´m having some trouble to authenticate the users with EAP and MAC authentication, i´m using IAS server and the EAP authentication is working well, but when I configure the MAC and EAP authentication, it doesn´t connect to the clients.
Any idea how can I solve this problem??
ThanskI think MAC authentication is not supported in IAS , you can do MAC address filtering on AP
-
Mac authentication by IAS in WAP4410N
I have a access point model WAP4410N , I want to configure for mac authentication by using MS IAS , but when I set MY SSID to radius in wireless connection control and try to connect to that SSID by a labtop I didn't get any logs in my IAS , anybody knows when this problem happened ? my methods for radius mac authentication is correct or not ?
Did you define the AP as a client in the IAS?
Steve
Sent from Cisco Technical Support iPhone App -
ACS Server MAC Authentication with Windows Database
Has anyone setup an ACS Server 3.2 for MAC authentication using Windows as the authentication. The documentation I found shows how to set it up using the CiscoSecure database. Any help would be appreciated.
Here is the link for setting up MAC authentication using CisoSecure database. There may not be a solution for my setup, but maybe I'll keep hacking away at it and find a resolution.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b3d27.shtml -
Cisco 1941W configure mac authentication in wireless
Dear all,
Appreciate that anyone know how to configure mac authentication in 1941w router?
Perhaps can show me some example of configure mac authentication in 1941w router.Hi,
Below is the configuration for mac authentication bypass on cisco 1900 router
c1921> enable
c1921# configure terminal
c1921(conf)#interface gigabitethernet slot / port
c1921(conf-if)# authentication port-control auto
c1921(conf-if)# mab
c1921(conf-if)# end
> You can verify using the below command
c1921#show authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi0/1 0201.0201.0201 mab DATA Authz Success 0303030300000004002500A8
c1921#show authentication sessions interface Gi0/1
Interface: GigabitEthernet0/1
MAC Address: 0201.0201.0201
IP Address: Unknown
User-Name: 02-01-02-01-02-01
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
AAA Policies:
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0303030300000004002500A8
Acct Session ID: 0x00000007
Handle: 0x3D000005
Runnable methods list:
Method State
mab Authc Success
For more details refer the below link:
http://www.cisco.com/c/en/us/td/docs/routers/access/1900/software/configuration/guide/Software_Configuration/conf.pdf
Thanks & Regards
Sandeep -
MAC authentication, 1200 WAP's, IAS
I am setting up WPA and MAC authentication on a number of 1200 series access points. In my testing, I've got WPA/EAP working fine with username and password, but I'd like to add MAC filtering as well using IAS, but can't get it to work.
I think the problem lies with the MAC "username" and "password" that the AP passes to IAS. Is both the username AND password the MAC of the wireless client NIC?
Thanks,
JasonThanks, but I've searched Google quite a bit and not found the answer. I've also read the article you posted. In fact it is that article I used to create the initial setup.
The article, however, states that the Cisco AP passes the shared secret to IAS/AD as the password for the MAC "username" in AD, but that does not appear to be the case. I am getting bad username or password in my IAS logs, but I know the username is set correctly as the AP passes it to the IAS logs and it matches what I've created in AD for username, so I believe it is a password issue. -
My app store is not working after installing mavericks. When I open app store it repeatedly asking me to login with apple ID and to provide User name and Password for proxy authentication in a loop.I am a newbie to mac,Please help me.
Hmmmm... would appear that you need to be actually logged in to enable the additional menu features.
Have you tried deletting the plists for MAS?
This page might help you out...
http://www.macobserver.com/tmo/answers/how_to_identify_and_fix_problems_with_the _mac_app_store
Failing that, I will have to throw this back to the forum to see if anyone else can advise further.
Let me know how you get on?
Thanks. -
Outlook 2011 for Mac not authenticating with Exchange 2010
Hi,
We have an issue with our Mac Clients authenticating with our Exchange Server. We have Exchange 2010 Version 14.03.0174.001.
Outlook is saying the credentials are incorrect for the user when we know they work fine in OWA and in Outlook 2010.
It seems this is since we re-keyed are SSL certificate. I have changed the EWS directory to Basic Authentication and also re-created the EWS directory. I have also re-ran all the SBS Wizards.
Is there anything else we can do to get this sorted?
ThanksHi Robert,
I found a KB for your reference:
Sending email error "Authentication failed. Error 17897" in Outlook 2011 for Mac
http://support.microsoft.com/kb/2492901
If it not matches to yours, please paste the details without sensitive information.
Thanks
Mavis
Mavis Huang
TechNet Community Support -
MAC Exception for Web Authentication
Hello folks. I currently have a guest network setup using guest tunneling and an anchor controller. I have it configured for web authentication. So basically, a client associates to the SSID, obtains an DHCP IP from the guest anchor controller, and then when the browser is launched the client is redirected to 1.1.1.1 and receives the splash page where they are required to click "OK" to proceed and begin surfing the internet.
I am being told from a vendor that it's possible to use a mac-address exception method so specific clients (based on mac address) will not have to web authenticate. So basically they bypass the splash screen and can immediately begin surfing the internet.
From what I can tell it's all or nothing per SSID.
Has anyone ever heard of this and if so do you know how it is accomplished.
Thanks
ChuckI've seen people ask for something like this for like an XBOX in a dorm (appearently XBOX doesn't have a browser?).....
Bottom line though is that on the WLC, all wireless clients on a WebAuth/WebPassthrough SSID must pass layer3 authentication. There is no way around this on this SSID. You'd have to create a different SSID as Scott suggested, which I'd probably suggest doing some kind of PSK on it, so only a few priveledged devices can associate.... you could even through in mac-filtering if you really wanted to complicate it....
Now, I understand that switches may have such a feature called mac-bypass, but it isn't on the WLC. -
Mail won't let me turn off Server Authentication for .Mac accounts
Greetings. Mail won't let me alter my server settings for .Mac. I am attempting to turn off "server authentication" so that I can use my .Mac account via mail through a hotel network, but every time I change the setting and exit the preferences screen Mail automatically reverts back to the previous setting. Ideas?
Set up a new account for that with account type either IMAP or POP (not .Mac) as you desire.
-
Outgoing SMTP for Mac Mail Authentication (none or password)?
i have had to set up a test account due to some corruption issues and i have a new temporary password for iCloud.
and i am in the outgoing SMTP > ADVANCED section of mail.
does anyone know if i set up a SMTP server for Mac Mail as having an authentication set to "none" or set to "password" and whether this password should be my new temp pass?If your ISP requires POP before SMTP authentication which requires checking the account's incoming mail server for new mail before being able to send with the account's SMTP server (checking the account for new mail should be required once per session only), then authentication for the SMTP server should be set to None.
Go to Mail > Preferences > Accounts and under the account information tab for the account preferences at the SMTP server selection, select the Server Setting button below.
If Password is selected for SMTP authentication, change it to None and test if this resolves the problem.
If None is selected and your ISP requires password authentication for their SMTP server, select Password and enter the account's user name and password required for the authentication. -
MAC authentication failed for Wired Users
Hi,
I tried to configure MAC authentication for registed users by ACS. But failed. Need help.ok ok..i got ur point....please correct me the config steps:
1. Added switch as aaa client into acs
2. entered machine mac address into acs user-setup as both usename & password.
3. in 64,65 & 81 (in bother group & user setup) choosed 64=vlan; 65=802; 81=authenticated_vlan_id
4. in switch
aaa new-model
aaa authentication dot1x default group radius
radius-server host acs_ip auth-port 1645 acct-port 1646 key ****
dot1x system-auth-control
int fa0/1
switchport mode access
dot1x mac-auth-bypass
dot1x port-control auto
dot1x reauthentication
dot1x pae authenticator
dot1x guest-vlan 900
Note: Whenever i issue the command "port-control auto" the line protocol of the port goes down.
5. in end machine disable ieee 802.1x authentication.
I will try this setting tomorrow & update you accordingly. -
Hello Everyone,
I have an issue with my Cisco 1602 WAP. I am trying to configure the WPA-PSK and MAC authentication on local RADIUS but I don't know why it doesn't work and client can bypass the MAC authentication. below is partial configuration:
dot11 ssid WLAN
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 XXX
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 20 mode ciphers aes-ccm
ssid WLAN
antenna gain 0
stbc
beamform ofdm
mbssid
channel 2462
station-role root
interface Dot11Radio0.20
encapsulation dot1Q 20 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface BVI1
ip address 10.133.16.2 255.255.255.128
no ip route-cache
adius-server local
nas 10.133.16.2 key 7 10.133.16.2
group MAC
vlan 20
ssid WLAN
block count 3 time infinite
reauthentication time 1800
user 54724f80421c password 54724f80421c group MAC
Further information can be provided by request.
Cheers,
Parhamwhat are you trying to accomplish?
With the PSK you aren't telling the client it needs to do .1x auth for the Mac authentication.
If you are just trying to keep some clients off the wireless, I would take a look at doing a MAC ACL (ACL 700)
HTH,
Steve -
I am jumping headfirst into ACS and have a question about authenticating clients via MAC address through an AP1200 to ACS4.0.
I have only done Windows IAS before to auth VPN clients, so this is new.
I am reading all the docs I can find and still can't understand how I can enter the MAC address of an allowed station into either the ACS database or the Windows directory.
Also, has anyone ever seen (or written) a simple "how-to" on setting up ACS and an AP?
Thankshii
u need to configure the attribute value pairs if ur going for radius authentication
i am sending u related doc i think this is enough i am also workin on same if need any help most welcome
[email protected]
However, by entering an IP address in place of the CLI you can use the
non-IP-based filter even when the AAA client does not use a Cisco IOS release
that supports CLI or DNIS. In another exception to entering a CLI, you can enter
a MAC address to permit or deny; for example, when you are using a Cisco
Aironet AAA client. Likewise, you could enter the Cisco Aironet AP MAC
address in place of the DNIS. The format of what you specify in the CLI
box—CLI, IP address, or MAC address—must match the format of what you
receive from your AAA client. You can determine this format from your RADIUS
Accounting Log.
Attributes for DNIS/CLI-based restrictions, per protocol, include the following
NAR fields:
• If you are using TACACS+—The NAR fields listed employ the following
values:
– AAA client—The NAS-IP-address is taken from the source address in
the socket between Cisco Secure ACS and the TACACS+ client.
– Port—The port field in the TACACS+ start packet body is used.
– CLI—The rem-addr field in the TACACS+ start packet body is used.
– DNIS—The rem-addr field taken from the TACACS+ start packet body
is used. In cases in which the rem-addr data begins with “/” the DNIS
field contains the rem-addr data without the “/” character. -
I have Outlook 2011 for Mac - I have validated the settings and up until yesterday could send and receive emails using my .mac account.
I can send using icloud and mail (I use Outlook for work purposes) and can send in outlook using my work accounts.
My settings
Incoming server - imap.mail.me.com
Use SSL to connect checked.
Outgoing server - smtp.mail.me.com
override default port checked (port 587)
use SSL to connect checked
authentication - Username and password.
I have rebuilt the database - no effect.
I continue to get the error
"Mail could not be sent
The server for account "mac" returned the error. 5.7.8. Bad Username or password (Authentication failed..)" Your username/password or security settings may be incorrect. Would you like to try rentering your password"
I have validated my username and password and rentered them both.
I have emptied the outbox and retried but nothing works.
Thanks for the help.Update - I now have it working.
am not really sure what exactly fixed it.
I changed a lot of things but my setup now has the following which I think fixed.
outgoing server - p06-smtp.mail.me.com
override default port checked - port now 587
on more options button changed it to "use incoming server info".
Maybe you are looking for
-
Elements 4 will not install on my new MacBook Pro
Bought Elements 4 in 2007 for my previous Power Mac and now just upgraded to a Macbook Pro and the program won't install . Get the message that this version no longer supported for new the Intel Chip Macs. I know the version is old but worked perfect
-
I have just updated to latest version of LR and it is not using my GPU. In LR system info it says it is but if I monitor my GPU clock speed then I can see it is not using it. If i run PS i can clearly see my GPU clock speed increase so I know it doe
-
Adobe Reader appears as Product Version Unknown
I tried to list the installed Adobe Reader Versions on all of our PCs. It produces a lot of "Unknown" versions. I assume it is a subverison specific Version 9.0. It is installed within directory C:\Programme\Adobe\Reader 9.0\Reader but on other PCs t
-
OAS 4.0.8.1 Listener www fails on Linux
Hi people, I've installed Oracle Application Server 4.0.8.1 on Slackware 7.0 e I don't achieve to start the www listener. It seems to be that the user that owns the application server don't have enoght privileges to initialize the listener. Does anyb
-
Video loses audio when using transitions
On my band's website, I frequently post videos of us rehearsing or playing at a show. Before I upload the videos, I bring them into iMovie, add a simple fade in and fade out to the beginning and end, and then save them compressed so that they downloa