MAC authentication, 1200 WAP's, IAS
I am setting up WPA and MAC authentication on a number of 1200 series access points. In my testing, I've got WPA/EAP working fine with username and password, but I'd like to add MAC filtering as well using IAS, but can't get it to work.
I think the problem lies with the MAC "username" and "password" that the AP passes to IAS. Is both the username AND password the MAC of the wireless client NIC?
Thanks,
Jason
Thanks, but I've searched Google quite a bit and not found the answer. I've also read the article you posted. In fact it is that article I used to create the initial setup.
The article, however, states that the Cisco AP passes the shared secret to IAS/AD as the password for the MAC "username" in AD, but that does not appear to be the case. I am getting bad username or password in my IAS logs, but I know the username is set correctly as the AP passes it to the IAS logs and it matches what I've created in AD for username, so I believe it is a password issue.
Similar Messages
-
Mac authentication by IAS in WAP4410N
I have a access point model WAP4410N , I want to configure for mac authentication by using MS IAS , but when I set MY SSID to radius in wireless connection control and try to connect to that SSID by a labtop I didn't get any logs in my IAS , anybody knows when this problem happened ? my methods for radius mac authentication is correct or not ?
Did you define the AP as a client in the IAS?
Steve
Sent from Cisco Technical Support iPhone App -
Hi, I´m having some trouble to authenticate the users with EAP and MAC authentication, i´m using IAS server and the EAP authentication is working well, but when I configure the MAC and EAP authentication, it doesn´t connect to the clients.
Any idea how can I solve this problem??
ThanskI think MAC authentication is not supported in IAS , you can do MAC address filtering on AP
-
MAC Authentication on autonomous APs
Hi!
Has anyone here tried MAC authentication using Aironet 1200 series? If so, can you please tell me how to do it? Because I've been trying to make it work and it just won't work. Thanks!
RegardsHi,
Are you talking about radius mac-authentication ?
The steps to configure MAC authentication on the ACS server and AP :
[1] GO to Server Manager
In the Corporate Servers -->Current Server List
-- Select the Radius Server in the drop down.
-- Specify the Server IP address in the Server: field
-- Specify the Shared Secret in the Shared Secret: field
-- Set the Authentication Port (optional): 1645 and the Accounting Port (optional): 1646
- click on Apply
-- In the Default Server Priorities aand under MAC Authentication
-- In the drop down Priority 1: select the IP address of the ACS server and click on Apply
[2] Goto SSid MAnager
-- Select the ssid, In case a new SSID needs to be created create a new ssid.
-- In Authentication Settings --> Methods Accepted: --> check on Open Authentication:
--> Select with Mac Authentication from the drop down menu.
- Click on the Apply all button to save this setting
[3] Goto Advanced Security
-- In the MAC Address Authentication -->MAC Addresses Authenticated by:
-- Select Authentication Server Only and click on Apply
On the ACS server Create Users with user names and password set to the MAC address of the
clients. These user names/passwords should NOT have any spaces or dots in between them..
Regards,
~JG -
WPA PSK doesn't work with MAC Authentication. AP1231G
Hi, yesterday I've installed an Aironet Access Point 1200 series AP1231G for the first time.
I'd like to use MAC Authentication with an WPA Pre-Shared Key. But it doesn't work. If I choose "Open Authentication with MAC Authentication", I can't type an WPA Pre-Shared Key. The system doesn't keep it.
It only works with "Open Authentication" without MAC-Filter.
Settings:
Encryption Manager: TKIP
SSID Manager
1. Client Authentication: Open Authentication with MAC Authentication
2. Key Managemnet: Mandatory WPA + WPA Pre-Shared-Key
If I type in a Pre-Shared-Key and click on "Apply", the Pre-Shared-Key get loss.Tina,
In Cisco IOS releases 12.3(4)JA and later, you cannot enable both MAC-address authentication and WPA-PSK.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00804e7d09.html#wp1034916 -
Hello Everyone,
I have an issue with my Cisco 1602 WAP. I am trying to configure the WPA-PSK and MAC authentication on local RADIUS but I don't know why it doesn't work and client can bypass the MAC authentication. below is partial configuration:
dot11 ssid WLAN
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 XXX
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 20 mode ciphers aes-ccm
ssid WLAN
antenna gain 0
stbc
beamform ofdm
mbssid
channel 2462
station-role root
interface Dot11Radio0.20
encapsulation dot1Q 20 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface BVI1
ip address 10.133.16.2 255.255.255.128
no ip route-cache
adius-server local
nas 10.133.16.2 key 7 10.133.16.2
group MAC
vlan 20
ssid WLAN
block count 3 time infinite
reauthentication time 1800
user 54724f80421c password 54724f80421c group MAC
Further information can be provided by request.
Cheers,
Parhamwhat are you trying to accomplish?
With the PSK you aren't telling the client it needs to do .1x auth for the Mac authentication.
If you are just trying to keep some clients off the wireless, I would take a look at doing a MAC ACL (ACL 700)
HTH,
Steve -
MAC Authentication does not work
My MAC Authentication does not work.
I have a ACS 3.0 server set. the MAC address is set in the user name field and in the password field.
I can ping the ACS, I can ping my AP, I can ping my client.
I don't want WEP and I don't want LEAP just MAC. So I set my authentication to "Open with MAC" My client has WEP set to NO WEP and authentication to OPEN
I have the latest drivers for both AP and my 350 Client.
I see that the client is associating and disassociating back and forth non stop. My AP log is full with the following message:
Station 0009.7c9f.xxxx Authentication failed
this is my config:
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname GOM_1200IOS
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
server 10.1.2.197 auth-port 1812 acct-port 1812
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa group server radius wlccp_rad_infra
aaa group server radius wlccp_rad_eap
aaa group server radius wlccp_rad_leap
aaa group server radius wlccp_rad_mac
aaa group server radius wlccp_rad_any
aaa group server radius wlccp_rad_acct
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login wlccp_infra group wlccp_rad_infra
aaa authentication login wlccp_eap_client group wlccp_rad_eap
aaa authentication login wlccp_leap_client group wlccp_rad_leap
aaa authentication login wlccp_mac_client group wlccp_rad_mac
aaa authentication login wlccp_any_client group wlccp_rad_any
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting network wlccp_acct_client start-stop group wlccp_rad_acct
aaa session-id common
enable secret xxxxxx
username Cisco password xxxx
ip subnet-zero
iapp standby timeout 5
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 1 size 40bit 7 9DF1C10BF11A transmit-key
ssid GOM_1230
authentication open mac-address mac_methods
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
channel 2462
station-role root
no cdp enable
dot1x reauth-period server
dot1x client-timeout 600
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no cdp enable
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.43.45 255.255.240.0
no ip route-cache
ip default-gateway 172.16.47.254
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1
access-list 700 permit 000a.b74c.e8c9 0000.0000.0000
access-list 700 permit 0009.7c9f.d6e0 0000.0000.0000
access-list 700 permit 0006.25b1.2f79 0000.0000.0000
access-list 700 permit 000a.b78b.2d19 0000.0000.0000
access-list 700 permit 000b.5f6e.77c8 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
access-list 701 deny 000b.5f6e.77c8 0000.0000.0000
access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
no cdp run
snmp-server community GOM_AP1230 RO
snmp-server enable traps tty
radius-server local
group AP1230
user brazil nthash 7 1249523544595F517972017912677A3055325A25770B08770D5C5B4E4478087605 group AP1230
radius-server host 10.1.2.197 auth-port 1812 acct-port 1812 key 7 00233C2B
radius-server retransmit 3
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 5 15
end
What is wrong?
Thanks very much for your help.I figured out what was wrong so thank you for stopping by.
I will publish the config for other people to see.
Regards, -
Machine MAC authentication by ACS
Hi,
I have 1 AP 1240 & ACS 4.1 Solution Engine.
I want to authenticate internal users by their MAC addresses (that is created into ACS database) after selecting appropriate SSID from the AP.
Let me give you an idea of the setup & config:
I have a DHCP server in the network from where users will get IP addresses.
I have created 2 VLAN's in the switch & made the port as "Trunk" that is connected with AP. VLAN 1 as native VLAN (AP & ACS is asigned ip addresses of native vlan range) & VLAN 2 for Internal Users.
Radio interfaces are mapped to the VLAN id & SSID is mapped with VLAn as well in AP.
MAC addresses are confiured into ACS (without any space, comma, special character..the mac addreses are put manually in the ACS to avoid the generation of any phantom character).
The problem is "USers are not getting IP addreses from the dhcp pool created in the switch" after selecting the SSID.
Please ry to help me out in this...You can try to disable aironet extensions & enable the SSID as guest mode SSID. Also, try to change the datarates to enable. Else, configure MAC authentication and disable SSID as guest mode SSID.
-
Sg300 - 802.1x NPS - mac authentication not working
I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
My current port configuration on the SG300:
interface fastethernet1
dot1x guest-vlan enable
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x authentication 802.1x mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode access
On the Windows NPS server there is following error to see:
Authentication Details:
Connection Request Policy Name: Secure Wire
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: myradius.local
Authentication Type: -
EAP Type: -
Account Session Identifier: 30353030399999
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...Still not working.
I tried different settings and (also older) software versions on the SF302-08P.
Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
The NPS reports following error:
Schannel:
The following fatal alert was received: 40.
EventID 36887
If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
... is this a bug on the SF302-08P? -
Enabling 802.1x and MAC Authentication Bypass on ACS 4.2
Hi experts,
I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
ii. If it is possible, any reference that I can check on how to configure this?
The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
Hope anyone here could help me on this.
Thanks very much,
DanielWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
802.1x: MAC Authentication Bypass
Hey sorry for keeping bugging you guys...
So I am configuring this Bypass thing on my 3750 switch. It works fine. It seems the switch will send a access request to the radius server (I use FreeRadius) with the username/password both as the MAC address of the deivce.
However my dilema is that I have 200+ these devices. I can easily create a user group with MAC starting with 00a008 (which are the first 3 octets of the MAC addresses), however it's impossible to include each of the MAC address as the password!
So my question is that whether there is a way to configure the switch use a static string as the password for all the devices using MAC Authentication Bypass?
Thank you!!
DifanDifan:
I went through your post and understand that you are in a process of configuring 802.1x with MAB in such way so that you use custom password (except Mac address) for all users OR shared password string that should be sent by the switch but this is not possible.
Reason: Switch only send the device Mac address as the username and password. The user name should be the mac address of the client and the password should be same as username and this can't be change on cisco switches.
I have also attached a document regarding MAB for your better understanding.
This forum is only for you guys...keep bugging us
HTH
JK
Pls rate helpful posts- -
Urgent 802.1x and MAC-Authentication Problem
Hi all
I want to deploy the mac- authentication in my network. and I have 3000 users. In the lab the authenticatoion for the machine takes:
Vista : 15 - 20 seconds
XP : 30 - 35 seconds
Is there any way to reduce this time less than 10 seconds. My users count are 3000 will the time go bigger because of this.
Please help me.
Thanks and Best Regards
amadyWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
Hello all
WLC Appliance supports Local MAC Authentication, http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#conf
Does Virtual WLC support this too?
Thanks
FrancoHello, Franco.
Have you checked the data sheet for the Cisco Virtual WLC's security Standards? Check this link: (http://cs.co/9007qz7W).
Are you planning to switch from a WLC appliance to a virtual?
Kind regards. -
I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?
Hi Jared,
you can do this by setup the following:
Webinterface:
1. Securtiy -> Server Manager
Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
2. Securtiy -> Advanced Securtiy
In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
IOS Interface from config mode:
aaa group server radius rad_mac
server 10.20.40.37 auth-port 1645 acct-port 1646
and
aaa authentication login mac_methods group rad_mac
or
aaa authentication login mac_methods group rad_mac local (for local fallback)
I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
Better use a setup with EAP-FAST or PEAP!
I hope that helps.
Best regards,
Frank
I hope that helps. -
Wireless Guest and mac authentication
Hi all,
I want to setup a wifi guest network with mac based authentication.
I already have the guest anchor controller and the remote wlc controller (and the mobility tunnel) up and running.
However, i am uncertain where i have to program the mac addresses: on the remote wlc or on the guest controller ? (for local database mac)
It seems my authentication only works if i program the mac address of the 'remote' wlc (the wlc holding the AP).
This is a pitty, as i was hoping to centralise all "appoved" mac addresses on the guest controller and not on each individual wlc seperatly.
Also, suppose i want a radius server to validate the mac address. Which controller is going to sent the radius request ? the wlc controller
managing the AP or the guest anchor controller ?
Does the remote wlc also need to be configured with "Layer2 security: none"+"mac authentication" (the same as the anchor controller) or can i put "Layer2:none" and put the anchor controller on "Layer2: none"+mac authentication ?
regards,
GeertHi Geert,
The rule is straightforward : layer 2 is handled by foreign WLC (one holding the AP) and layer 3 handled by the anchor (the guest).
This means the anchor WLC handles the dhcp/ip address, it handles the web authentication etc ...
But only the foreign WLC knows which AP the client is associated to, it's the only one to have layer 2 information so that's the one doing layer 2 authentication (wpa psk or mac filtering).
The way to "centralize" for you would be to have the mac addresses on a radius server or to push the mac addresses on the controllers via WCS.
Hope this clarifies,
Nicolas
===
Don't forget to rate answers that you find useful
Maybe you are looking for
-
What is the difference between these two reports MC.1 and MB5L
Hi what is the difference between these two reports MC.1 and MB5L? what is the Purpose of each report? Material ledger is activated for this plant, we found some amount difference between these two reports, my client accounting department used to com
-
Can Reader 10 create a pdf from a website (by printing as PDF)? if so, how?
-
My 30" display only offers 1280x800 resolution
In my display system preferences, this is as high as it goes. My previous monitors all allowed between 1280x1024 and i had another crt that offered up to 1600. Shouldn't it be 2560x1600? Thanks
-
Activating Confirmation Tab in Return Purchase Order
Hello, My problem is when I am creating a return in me21n, in the item header when I cliked in the confirmation tab it is not active. How can I activate this ?
-
Hello. I've been attempting to do a very simple task that just isn't working. For a Data Flow Task action in SSIS, I am trying to export data from a single SQL Server (2008 R2) database table to an Excel spreadsheet (.xlsx). No matter what I do, it