Machine MAC authentication by ACS
Hi,
I have 1 AP 1240 & ACS 4.1 Solution Engine.
I want to authenticate internal users by their MAC addresses (that is created into ACS database) after selecting appropriate SSID from the AP.
Let me give you an idea of the setup & config:
I have a DHCP server in the network from where users will get IP addresses.
I have created 2 VLAN's in the switch & made the port as "Trunk" that is connected with AP. VLAN 1 as native VLAN (AP & ACS is asigned ip addresses of native vlan range) & VLAN 2 for Internal Users.
Radio interfaces are mapped to the VLAN id & SSID is mapped with VLAn as well in AP.
MAC addresses are confiured into ACS (without any space, comma, special character..the mac addreses are put manually in the ACS to avoid the generation of any phantom character).
The problem is "USers are not getting IP addreses from the dhcp pool created in the switch" after selecting the SSID.
Please ry to help me out in this...
You can try to disable aironet extensions & enable the SSID as guest mode SSID. Also, try to change the datarates to enable. Else, configure MAC authentication and disable SSID as guest mode SSID.
Similar Messages
-
MAC authentication failed for Wired Users
Hi,
I tried to configure MAC authentication for registed users by ACS. But failed. Need help.ok ok..i got ur point....please correct me the config steps:
1. Added switch as aaa client into acs
2. entered machine mac address into acs user-setup as both usename & password.
3. in 64,65 & 81 (in bother group & user setup) choosed 64=vlan; 65=802; 81=authenticated_vlan_id
4. in switch
aaa new-model
aaa authentication dot1x default group radius
radius-server host acs_ip auth-port 1645 acct-port 1646 key ****
dot1x system-auth-control
int fa0/1
switchport mode access
dot1x mac-auth-bypass
dot1x port-control auto
dot1x reauthentication
dot1x pae authenticator
dot1x guest-vlan 900
Note: Whenever i issue the command "port-control auto" the line protocol of the port goes down.
5. in end machine disable ieee 802.1x authentication.
I will try this setting tomorrow & update you accordingly. -
Enabling 802.1x and MAC Authentication Bypass on ACS 4.2
Hi experts,
I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
ii. If it is possible, any reference that I can check on how to configure this?
The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
Hope anyone here could help me on this.
Thanks very much,
DanielWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
Hi!
I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
This is the goal:
On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
"Certificate Dictionary:Common Name contains .admin.testdomain.lan"
But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
Thank you.Hello again.
I found out how to do this now..
What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
You must also remember to change the AuthMode option in Windows XP Registry to "1".
What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
That would have plugged a few security holes for me. -
802.1x authentication with ACS 4.1 for MAC OSX
Hi,
I simply wanted to know if it's possible to have 802.1x authentication with MAC OSx on ACS Plateform 4.1?
If yes, what pre-required on ACS and MAC OSx? Methods of authentification which are recommended ?
I'm sorry, but i don't find documents which show validated test on 802.1x implementation method on ACS 4.1 with MAC OSx supplicant.
Thanks in advance
Best regards
ThanksYes, Refer to the below DOC
http://support.apple.com/kb/HT2717
Port settings and ACS configuration remain the same as you do it for windows based clients -
ACS Server MAC Authentication with Windows Database
Has anyone setup an ACS Server 3.2 for MAC authentication using Windows as the authentication. The documentation I found shows how to set it up using the CiscoSecure database. Any help would be appreciated.
Here is the link for setting up MAC authentication using CisoSecure database. There may not be a solution for my setup, but maybe I'll keep hacking away at it and find a resolution.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b3d27.shtml -
Urgent 802.1x and MAC-Authentication Problem
Hi all
I want to deploy the mac- authentication in my network. and I have 3000 users. In the lab the authenticatoion for the machine takes:
Vista : 15 - 20 seconds
XP : 30 - 35 seconds
Is there any way to reduce this time less than 10 seconds. My users count are 3000 will the time go bigger because of this.
Please help me.
Thanks and Best Regards
amadyWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
MAC Authentication does not work
My MAC Authentication does not work.
I have a ACS 3.0 server set. the MAC address is set in the user name field and in the password field.
I can ping the ACS, I can ping my AP, I can ping my client.
I don't want WEP and I don't want LEAP just MAC. So I set my authentication to "Open with MAC" My client has WEP set to NO WEP and authentication to OPEN
I have the latest drivers for both AP and my 350 Client.
I see that the client is associating and disassociating back and forth non stop. My AP log is full with the following message:
Station 0009.7c9f.xxxx Authentication failed
this is my config:
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname GOM_1200IOS
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
server 10.1.2.197 auth-port 1812 acct-port 1812
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa group server radius wlccp_rad_infra
aaa group server radius wlccp_rad_eap
aaa group server radius wlccp_rad_leap
aaa group server radius wlccp_rad_mac
aaa group server radius wlccp_rad_any
aaa group server radius wlccp_rad_acct
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login wlccp_infra group wlccp_rad_infra
aaa authentication login wlccp_eap_client group wlccp_rad_eap
aaa authentication login wlccp_leap_client group wlccp_rad_leap
aaa authentication login wlccp_mac_client group wlccp_rad_mac
aaa authentication login wlccp_any_client group wlccp_rad_any
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
aaa accounting network wlccp_acct_client start-stop group wlccp_rad_acct
aaa session-id common
enable secret xxxxxx
username Cisco password xxxx
ip subnet-zero
iapp standby timeout 5
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption key 1 size 40bit 7 9DF1C10BF11A transmit-key
ssid GOM_1230
authentication open mac-address mac_methods
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
channel 2462
station-role root
no cdp enable
dot1x reauth-period server
dot1x client-timeout 600
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no cdp enable
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 172.16.43.45 255.255.240.0
no ip route-cache
ip default-gateway 172.16.47.254
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1
access-list 700 permit 000a.b74c.e8c9 0000.0000.0000
access-list 700 permit 0009.7c9f.d6e0 0000.0000.0000
access-list 700 permit 0006.25b1.2f79 0000.0000.0000
access-list 700 permit 000a.b78b.2d19 0000.0000.0000
access-list 700 permit 000b.5f6e.77c8 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
access-list 701 deny 000b.5f6e.77c8 0000.0000.0000
access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
no cdp run
snmp-server community GOM_AP1230 RO
snmp-server enable traps tty
radius-server local
group AP1230
user brazil nthash 7 1249523544595F517972017912677A3055325A25770B08770D5C5B4E4478087605 group AP1230
radius-server host 10.1.2.197 auth-port 1812 acct-port 1812 key 7 00233C2B
radius-server retransmit 3
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 5 15
end
What is wrong?
Thanks very much for your help.I figured out what was wrong so thank you for stopping by.
I will publish the config for other people to see.
Regards, -
AP Authentication via ACS.
Hi All,
Just a basic question regarding MAC based authenitcation of AP with ACS.
The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorised to be used in network then only it gets the IP address from DHCP.
My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Datacenter. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.
When working in a LAN I know its possible, but how will it work over the WAN.
Pls. suggest ASAP.
Thanks in Advance.
Regards
HarishHarish:
As you may know that traffic between WLC and APs is encapsulated in CAPWAP tunnel.
The information insdie the CAPWAP should tell the WLC what MAC address the AP uses.
CAPWAP RFC metniones that you can do AP authorization by two ways:
- with certificates
- with PSK.
The standards does no imply what the PSK should be, however, Cisco seems to use it to be the mac address of the AP when the ap authorization is enabled. RFC recommends to use mac address of AP as PSK.
2.4.4.4. PSK Usage
When DTLS uses PSK Ciphersuites, the ServerKeyExchange message MUST
contain the "PSK identity hint" field and the ClientKeyExchange
message MUST contain the "PSK identity" field. These fields are used
to help the WTP select the appropriate PSK for use with the AC, and
then indicate to the AC which key is being used. When PSKs are
provisioned to WTPs and ACs, both the PSK Hint and PSK Identity for
the key MUST be specified.
The PSK Hint SHOULD uniquely identify the AC and the PSK Identity
SHOULD uniquely identify the WTP. It is RECOMMENDED that these hints
and identities be the ASCII HEX-formatted MAC addresses of the
respective devices, since each pairwise combination of WTP and AC
SHOULD have a unique PSK. The PSK Hint and Identity SHOULD be
sufficient to perform authorization, as simply having knowledge of a
PSK does not necessarily imply authorization.
If a single PSK is being used for multiple devices on a CAPWAP
network, which is NOT RECOMMENDED, the PSK Hint and Identity can no
longer be a MAC address, so appropriate hints and identities SHOULD
be selected to identify the group of devices to which the PSK is
provisioned
you may spend more time reading the CAPWAP RFC if you are interested
CAPWAP RFC: http://www.ietf.org/rfc/rfc5415.txt
Hope this answers your concern.
Amjad -
ISE - Machine + user authentication
I've searched forum, community but I couldn't find exactly what I need:
I have a client that want's to use two step authentication on wireless: first machine authentication to make sure that device is on the domain and then username/password authentication.
Now, I've read about MAR, EAP chaining, and I understood it all, only thing I didn't understand is:
If I configure ISE to authenticate machine, it will allow limited access to DC (for example).
Then, after that AuthZ profile is applied, what will do new authorization? My understanding is once MAR is done, AuthZ profileis applied and authorization is finished.
Now, I am not asking about turning on laptop, getting PC on the network, then logging in and then providing the user/credentials, etc. I am asking for this scenario:
How ISE policy and AuthZ profile should look like, for example, I come in the office, my wireless card is disabled, I login to my laptop, then I notice that my wireless card is disabled and now I enable it. I need to have Machine authentciation happening at that point + prompting user for username/password to complete registration on wireless.
NAM is already refused by client, so I need something that will work on plain Windows 7.
Thanks.Hello Align-
In your post you are referring to two completely separate and independent solutions:
1. MAR
2. EAP-Chaining
MAR only happens when the machine first boots up and the host presents its machine domain credentials. Then the machine MAC address is saved in ISE. The MAC is preserved in ISE as long as configured in the machine timer. Keep in mind that if let's say a computer was booted while connected on the wired network, only that MAC address will be authenticated. If the user moves to wireless, the connection will be denied as ISE will not have any records of the wireless MAC. Along with all of that, you will need another method (usually PEAP) to perform the user authentication. Usually this method is not a very good one to implement due to the issues listed
EAP-Chaining on the other hand utilizes EAP-FAST and it s a multi-phase method during which both machine and user information is passed in a secured TLS tunnel. For that you need to implement Cisco AnyConnect as it is the only software supplicant that supports it at the moment. For more info you might wanna look into Cisco's TrustSec guide:
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf
I hope this helps!
Thank you for rating! -
802.1x + Machine Account Authentication = Vulnerability?
Hello forum,
I'm trying to determine the security implications of utilizing 802.1x authentication/authorization with the "Domain Computers" option selected within ACS. The problem I am having with this scenerio is this:
1) Client machines are authenticated to the LAN or WLAN based on AD machine account name/password if "Domain Computers" is selected.
2) Windows XP machines will authenticate 802.1x using the machine account name/password by default upon initial boot and upon log-off.
3) Once a machine boots up or someone logs off, the 802.1x port status is placed into "Authorized" using machine account name/password credentials.
4) If you log onto a machine after the port goes "Authorized" (from #3) with a local user or local administrator account you gain "free access" to the network for < 60 seconds (I've done this many times now and you do infact gain "free access.")
So then the following scenerio comes into play, what if:
1) Someone steals a laptop.
2) Compromises a local user or local administrator account on said laptop.
3) Places the laptop onto either the wired or wireless network.
4) Reboots the box.
5) Logs in with local user or local administrator and launches a script (they will have free-access for < 60 seconds before a re-authentication is forced).
Anyone famliar with this, or any white papers/KB's is/are greatly appreciated!
Thanks,
JeremyA small clarification here about your statement:
"The PC will try machine authentication once it boots up. Once is entered, the PC initiate 802.1x authentication by sending EAPOL start. The AP or switch should change the state of the PC from authenticated to authenticating. Thus, the PC should not get network connectivity unless it passes user authentication again. If you use a local account to logon to the PC, the PC should not pass 802.1xauthentication. At least, that's how Cisco equipment works."
This is not up to Cisco equipment, the AP has no idea the PC is switching between machine and user mode unless the supplicant on the PC restarts the authentication (via EAPOL-Start as you stated), this is wholey up to the supplicant installed on the PC. So with this < 60 second window that is being seen here it is most likely due to slow load of the user space/desktop.
An option to prevent this would be to use a supplicant that can start before login (such as the Cisco Secure Services Client) that way the user is authenticated before they have access to the desktop.
--Jesse -
802.1x Machine Based Authentication - Password expired
Hi,
I would like to ask 1 question about machine based authentication on 802.1x.
1.We are deploying 802.1x on wired user.
2.Some user are using machine based authentication in order to authenticate their port.
3.However, after the user password expired, the user need to change their password and then the machine are unable to authenticate. The error i got is "External DB user invalid or bad password". Then switch assign the user to Guest Vlan
4.But, once i plug out the cable and plug in back the UTP cable after the user login, the switch will assigned the user to proper VLAN.
5.User wont be able to access their share drive n etc since the guest vlan only have access to the internet.
5.Anyone have any idea what is happening? It seems that the machine is sending the old password during authentication process to the ACS.
Anybody can shed a light to me. Thanks.This should certainly work with that rev. On your passed (or failed) auth log, you should see the username of the session authenticating. If you see the FQDN of the machine, this is a machine auth. Also, machine-auth typically executes before the GINA is displayed to the user. It sounds like machine-auth is failing and we need to determine why. Has this machine been away from the domain for long?
This also might help:
http://supportwiki.cisco.com/ViewWiki/index.php/802.1x_authentication_with_Cisco_Secure_Access_Control_Server_fails_to_work_for_Microsoft_Windows_XP_PC -
Sg300 - 802.1x NPS - mac authentication not working
I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
My current port configuration on the SG300:
interface fastethernet1
dot1x guest-vlan enable
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x authentication 802.1x mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode access
On the Windows NPS server there is following error to see:
Authentication Details:
Connection Request Policy Name: Secure Wire
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: myradius.local
Authentication Type: -
EAP Type: -
Account Session Identifier: 30353030399999
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...Still not working.
I tried different settings and (also older) software versions on the SF302-08P.
Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
The NPS reports following error:
Schannel:
The following fatal alert was received: 40.
EventID 36887
If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
... is this a bug on the SF302-08P? -
How to do .1x port based network access authentication through ACS
How to do .1x port based network access authentication through ACS.
Hi,
802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
Regards,
Kush -
I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?
Hi Jared,
you can do this by setup the following:
Webinterface:
1. Securtiy -> Server Manager
Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
2. Securtiy -> Advanced Securtiy
In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
IOS Interface from config mode:
aaa group server radius rad_mac
server 10.20.40.37 auth-port 1645 acct-port 1646
and
aaa authentication login mac_methods group rad_mac
or
aaa authentication login mac_methods group rad_mac local (for local fallback)
I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
Better use a setup with EAP-FAST or PEAP!
I hope that helps.
Best regards,
Frank
I hope that helps.
Maybe you are looking for
-
How can I install Windows 7 on a Retina MBP with no optical drive?
I'd like to install Windows 7 on a Retina MacBook Pro via Boot Camp. However, the only distribution of Windows I'm aware of is on a physical disk. My MBP doesn't have an optical drive. It can't read disks like that. I'm hoping there's some kind of wo
-
Error when opening swf from another swf
Hi all, I'll try to explain this as good as possible.... I made a maze game that works perfectly when I run it by clicking on it's own .swf file, but when I try to access it from another .swf file which is a menu for the games I created, it does not
-
Hello there, I am using a SOAP receiver adapter. The URL contains the format - https://<XYZ.com>/car/soap/Sync?login=username&pass=password Now, if I configure the channel by using the "Configure User Authentication", the data is not getting posted a
-
HT1338 my macbook keeps freezing
my macbook keeps freezing how do i fix this problem?
-
Cannot reinstall iTunes. Receive error message Error 7 (Window error 127)
Cannot reinstall iTunes. Receive error message, Error 7 (Windows error 127)