MAC Authentication on autonomous APs

Similar Messages

• 802.1x auth fail through WLC but OK on autonomous APs

  Hello,
  I migrate 1310 APs from Autonomous to Lightweight. Migration is OK with Cisco Upgrade Tool, and AP are registered on my 2504 WLC.
  Previously, a 802.1x network was broadcasted by autonomous APs, supplicants were identified on a freeradius server with MSCHAPv2/PEAP method.
  I send you in attachement a AP config which is OK.
  But on the WLC, supplicants can't auth on Radius server.
  I configured a WLAN with WPA/TKIP/802.1x with my radius server in AAA tab.
  When clients try to authenticate, I get these messages where xxx is login:
  AAA Authentication Failure for UserName:821 User Type: WLAN USER
  AAA Authentication Failure for UserName:200 User Type: WLAN USER
  AAA Authentication Failure for UserName:209 User Type: WLAN USER
  Security info on client page is:
  Security Policy Completed
  No
  Policy Type
  WPA
  Encryption Cipher
  TKIP-MIC
  EAP Type
  PEAP
  SNMP NAC State
  Access
  Radius NAC State
  8021X_REQD
  What is strange, there are some clients which are OK in RUN State, and 50 other % which are not.
  In attachment there is a debug client "mac-address" on a device which cannot authenticate through WLC.
  Thank you,
  Clement

  Hi Amjad,
  I'm not using NAC.
  Clients makes a MSCHAPv2/PEAP auth on a FreeRadius server through the WLC.
  Because network is critical, I do a rollback so I passed the light APs into their autonomous original state.
  Now all clients can successfully auth on the network. I don't understand what happens when APs are in lightweight mode :/
  I have more information about the WLAN clients  :
  - Each client is an infrastructure which have a AXIS wireless modem in bridge mode, which is client of the WLAN. This modem have login/password for MSCHAPv2 auth.
  - Behind the AXIS, there is a switch on which 4 devices in static IP are connected.
  - If the AXIS is successfully authenticated on the WLAN, only one device of four is able to ping servers on the LAN. The others cannot, it seems to be a "token ring" like ?!
  The WLAN clients infrastructures are very proprietary, it's very difficult to debug.
  What I know, is all clients are OK on autonomous AP (auth 100% successfull, ping 100% successfull for 4 devices) and when the clients join a lightweight AP it is (auth 50% successfull, ping 100% successfull for 1 device, 0% successfull for 3 others devices)
  Tell me if you need specific debug logs.
  Clement

• WLC Flexconnect with AAA and MAC authentication

  hi,
  i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
  my question is i am having  Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
  My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
  one more question,
  is it possible to make each AP seperate MAC filters On the WLC.
  thanks
  cyril

  If you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
  In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
  Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
  Hope this clears you doubts!!!
  Note: Please do not forget to rate and accept as solution incase the post is valid.

• WPA2-PSK with open MAC authentication

  Can anyone help me with the configuration of Autonomous ap with WPA2-PSK with mac authentication..?
  I tried configuring and created 700 ACL. But its not working

  once i enable mac authentication "wpa-psk ascii 7 06020C234D1F5B4A511416" dissappears. :(
  Model: AIR-SAP1602E-N-K9
  IOS: ap1g2-k9w7-mx.152-2.JB2/ap1g2-k9w7-mx.152-2.JB2
  Getting Error: WPA-PSK not supported with MAC address authentication configured

• WPA 2 with Mac authentication

  Hi all,
  I am faced with a dilemma. I have implemented a wireless network throughout our main building using wpa2 leap authenticating against Active directory. Now Security Engineer is griping that mac authentication be used in addition. The only reason I did not choose this option because I believe that the mac is transmitted with an initial packet and can be spoofed anyway not to mention the overhead of tracking all macs. Does anyone have any input on this issue that would help the argument of supporting or not supporting the authentication methods I just spoke of any help is greatly appreciated!

  Well, if your security engineer is so dead set on adding MAC address to the authentication process even though he knows that MAC address can be spoofed(it's biggest vulnerability) - good luck with changing his mind.
  I had experience with MAC authentication at the enterprise level. I used it along with WEP. Obviously there is no AD or RADIUS in place. Entire list of MAC addresses is kept on all APs to facilitate enterprise-wide roaming. Well, having a list of 300 MACs on the AP makes the authentication process painfully slow. I don't know how many clients you have and what kind of RADIUS server you are using. The impact will be different in your case.
  Apart from slow authentication process because of gigantic list of MACs, it is very hard to keep up with all MACs because of new laptops and upgraded client adapters, etc. If the users make a fuss, your Security Engineer may change his mind.
  HTH

• MAC Authentication does not work

  My MAC Authentication does not work.
  I have a ACS 3.0 server set. the MAC address is set in the user name field and in the password field.
  I can ping the ACS, I can ping my AP, I can ping my client.
  I don't want WEP and I don't want LEAP just MAC. So I set my authentication to "Open with MAC" My client has WEP set to NO WEP and authentication to OPEN
  I have the latest drivers for both AP and my 350 Client.
  I see that the client is associating and disassociating back and forth non stop. My AP log is full with the following message:
  Station 0009.7c9f.xxxx Authentication failed
  this is my config:
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname GOM_1200IOS
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  server 10.1.2.197 auth-port 1812 acct-port 1812
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa group server radius wlccp_rad_infra
  aaa group server radius wlccp_rad_eap
  aaa group server radius wlccp_rad_leap
  aaa group server radius wlccp_rad_mac
  aaa group server radius wlccp_rad_any
  aaa group server radius wlccp_rad_acct
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authentication login wlccp_infra group wlccp_rad_infra
  aaa authentication login wlccp_eap_client group wlccp_rad_eap
  aaa authentication login wlccp_leap_client group wlccp_rad_leap
  aaa authentication login wlccp_mac_client group wlccp_rad_mac
  aaa authentication login wlccp_any_client group wlccp_rad_any
  aaa authorization exec default local
  aaa authorization ipmobile default group rad_pmip
  aaa accounting network acct_methods start-stop group rad_acct
  aaa accounting network wlccp_acct_client start-stop group wlccp_rad_acct
  aaa session-id common
  enable secret xxxxxx
  username Cisco password xxxx
  ip subnet-zero
  iapp standby timeout 5
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption key 1 size 40bit 7 9DF1C10BF11A transmit-key
  ssid GOM_1230
  authentication open mac-address mac_methods
  speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
  rts threshold 2312
  channel 2462
  station-role root
  no cdp enable
  dot1x reauth-period server
  dot1x client-timeout 600
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no cdp enable
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 172.16.43.45 255.255.240.0
  no ip route-cache
  ip default-gateway 172.16.47.254
  ip http server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
  ip radius source-interface BVI1
  access-list 700 permit 000a.b74c.e8c9 0000.0000.0000
  access-list 700 permit 0009.7c9f.d6e0 0000.0000.0000
  access-list 700 permit 0006.25b1.2f79 0000.0000.0000
  access-list 700 permit 000a.b78b.2d19 0000.0000.0000
  access-list 700 permit 000b.5f6e.77c8 0000.0000.0000
  access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
  access-list 701 deny 000b.5f6e.77c8 0000.0000.0000
  access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
  no cdp run
  snmp-server community GOM_AP1230 RO
  snmp-server enable traps tty
  radius-server local
  group AP1230
  user brazil nthash 7 1249523544595F517972017912677A3055325A25770B08770D5C5B4E4478087605 group AP1230
  radius-server host 10.1.2.197 auth-port 1812 acct-port 1812 key 7 00233C2B
  radius-server retransmit 3
  radius-server attribute 32 include-in-access-req format %h
  radius-server authorization permit missing Service-Type
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 5 15
  end
  What is wrong?
  Thanks very much for your help.

  I figured out what was wrong so thank you for stopping by.
  I will publish the config for other people to see.
  Regards,

• Machine MAC authentication by ACS

  Hi,
  I have 1 AP 1240 & ACS 4.1 Solution Engine.
  I want to authenticate internal users by their MAC addresses (that is created into ACS database) after selecting appropriate SSID from the AP.
  Let me give you an idea of the setup & config:
  I have a DHCP server in the network from where users will get IP addresses.
  I have created 2 VLAN's in the switch & made the port as "Trunk" that is connected with AP. VLAN 1 as native VLAN (AP & ACS is asigned ip addresses of native vlan range) & VLAN 2 for Internal Users.
  Radio interfaces are mapped to the VLAN id & SSID is mapped with VLAn as well in AP.
  MAC addresses are confiured into ACS (without any space, comma, special character..the mac addreses are put manually in the ACS to avoid the generation of any phantom character).
  The problem is "USers are not getting IP addreses from the dhcp pool created in the switch" after selecting the SSID.
  Please ry to help me out in this...

  You can try to disable aironet extensions & enable the SSID as guest mode SSID. Also, try to change the datarates to enable. Else, configure MAC authentication and disable SSID as guest mode SSID.

• Mac authentication by IAS in WAP4410N

  I have a access point model WAP4410N , I want to configure for mac authentication by using MS IAS , but when I set MY SSID to radius in wireless connection control and try to connect to that SSID by a labtop I didn't get any logs in my IAS , anybody knows when this problem happened ? my methods for radius mac authentication is correct or not ?

  Did you define the AP as a client in the IAS?
  Steve
  Sent from Cisco Technical Support iPhone App

• Sg300 - 802.1x NPS - mac authentication not working

  I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
  Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
  My current port configuration on the SG300:
  interface fastethernet1
   dot1x guest-vlan enable
   dot1x max-req 1
   dot1x reauthentication
   dot1x timeout quiet-period 10
   dot1x authentication 802.1x mac
   dot1x radius-attributes vlan static
   dot1x port-control auto
   switchport mode access
  On the Windows NPS server there is following error to see:
  Authentication Details:
      Connection Request Policy Name:    Secure Wire
      Network Policy Name:        -
      Authentication Provider:        Windows
      Authentication Server:        myradius.local
      Authentication Type:        -
      EAP Type:            -
      Account Session Identifier:        30353030399999
      Reason Code:            1
      Reason:                An internal error occurred. Check the system event log for additional information.
  There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...

  Still not working.
  I tried different settings and (also older) software versions on the SF302-08P.
  Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
  The NPS reports following error:
  Schannel:
  The following fatal alert was received: 40.
  EventID 36887
  If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
  ... is this a bug on the SF302-08P?

• Enabling 802.1x and MAC Authentication Bypass on ACS 4.2

  Hi experts,
  I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
  i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
  Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
  ii. If it is possible, any reference that I can check on how to configure this?
  The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
  Hope anyone here could help me on this.
  Thanks very much,
  Daniel

  With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
  Specific info is here:
  <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
  Hope this helps,

• 802.1x: MAC Authentication Bypass

  Hey sorry for keeping bugging you guys...
  So I am configuring this Bypass thing on my 3750 switch. It works fine. It seems the switch will send a access request to the radius server (I use FreeRadius) with the username/password both as the MAC address of the deivce.
  However my dilema is that I have 200+ these devices. I can easily create a user group with MAC starting with 00a008 (which are the first 3 octets of the MAC addresses), however it's impossible to include each of the MAC address as the password!
  So my question is that whether there is a way to configure the switch use a static string as the password for all the devices using MAC Authentication Bypass?
  Thank you!!
  Difan

  Difan:
  I went through your post  and understand that you are in a process of configuring 802.1x with MAB in such way so that you use custom password (except Mac address) for all users OR shared password string that should be sent by the switch but this is not possible.
  Reason: Switch only send the device Mac address as the username and password. The user name should be the mac address of the client and the password should be same as username and this can't be change on cisco switches.
  I have also attached a document regarding MAB for your better understanding.
  This forum is only for you guys...keep bugging us
  HTH
  JK
  Pls rate helpful posts-

• Urgent 802.1x and MAC-Authentication Problem

  Hi all
  I want to deploy the mac- authentication in my network. and I have 3000 users. In the lab the authenticatoion for the machine takes:
  Vista : 15 - 20 seconds
  XP : 30 - 35 seconds
  Is there any way to reduce this time less than 10 seconds. My users count are 3000 will the time go bigger because of this.
  Please help me.
  Thanks and Best Regards
  amady

  With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
  Specific info is here:
  <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
  Hope this helps,

• VWLC and Mac Authentication

  Hello all
  WLC Appliance supports Local MAC Authentication, http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#conf
  Does Virtual WLC support this too?
  Thanks
  Franco

  Hello, Franco. 
  Have you checked the data sheet for the Cisco Virtual WLC's security Standards? Check this link: (http://cs.co/9007qz7W). 
  Are you planning to switch from a WLC appliance to a virtual?
  Kind regards. 

• WPA2 and mac authentication

  I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?

  Hi Jared,
  you can do this by setup the following:
  Webinterface:
  1. Securtiy -> Server Manager
  Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
  2. Securtiy -> Advanced Securtiy
  In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
  IOS Interface from config mode:
  aaa group server radius rad_mac
  server 10.20.40.37 auth-port 1645 acct-port 1646
  and
  aaa authentication login mac_methods group rad_mac
  or
  aaa authentication login mac_methods group rad_mac local (for local fallback)
  I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
  Better use a setup with EAP-FAST or PEAP!
  I hope that helps.
  Best regards,
  Frank
  I hope that helps.

• IAS and MAC authentication

  Hi, I´m having some trouble to authenticate the users with EAP and MAC authentication, i´m using IAS server and the EAP authentication is working well, but when I configure the MAC and EAP authentication, it doesn´t connect to the clients.
  Any idea how can I solve this problem??
  Thansk

  I think MAC authentication is not supported in IAS , you can do MAC address filtering on AP