Machine MAC authentication by ACS

Similar Messages

• MAC authentication failed for Wired Users

  Hi,
  I tried to configure MAC authentication for registed users by ACS. But failed. Need help.

  ok ok..i got ur point....please correct me the config steps:
  1. Added switch as aaa client into acs
  2. entered machine mac address into acs user-setup as both usename & password.
  3. in 64,65 & 81 (in bother group & user setup) choosed 64=vlan; 65=802; 81=authenticated_vlan_id
  4. in switch
  aaa new-model
  aaa authentication dot1x default group radius
  radius-server host acs_ip auth-port 1645 acct-port 1646 key ****
  dot1x system-auth-control
  int fa0/1
  switchport mode access
  dot1x mac-auth-bypass
  dot1x port-control auto
  dot1x reauthentication
  dot1x pae authenticator
  dot1x guest-vlan 900
  Note: Whenever i issue the command "port-control auto" the line protocol of the port goes down.
  5. in end machine disable ieee 802.1x authentication.
  I will try this setting tomorrow & update you accordingly.

• Enabling 802.1x and MAC Authentication Bypass on ACS 4.2

  Hi experts,
  I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
  i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
  Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
  ii. If it is possible, any reference that I can check on how to configure this?
  The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
  Hope anyone here could help me on this.
  Thanks very much,
  Daniel

  With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
  Specific info is here:
  <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
  Hope this helps,

• Machine Authentication and User Authentication with ACS v5.1... how?

  Hi!
  I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
  This is the goal:
  On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
  Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
  I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
  I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
  "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
  But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
  I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
  Thank you.

  Hello again.
  I found out how to do this now..
  What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
  After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
  You must also remember to change the AuthMode option in Windows XP Registry to "1".
  What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
  That would have plugged a few security holes for me.

• 802.1x authentication with ACS 4.1 for MAC OSX

  Hi,
  I simply wanted to know if it's possible to have 802.1x authentication with MAC OSx on ACS Plateform 4.1?
  If yes, what pre-required on ACS and MAC OSx? Methods of authentification which are recommended ?
  I'm sorry, but i don't find documents which show validated test on 802.1x implementation method on ACS 4.1 with MAC OSx supplicant.
  Thanks in advance
  Best regards
  Thanks

  Yes, Refer to the below DOC
  http://support.apple.com/kb/HT2717
  Port settings and ACS configuration remain the same as you do it for windows based clients

• ACS Server MAC Authentication with Windows Database

  Has anyone setup an ACS Server 3.2 for MAC authentication using Windows as the authentication. The documentation I found shows how to set it up using the CiscoSecure database. Any help would be appreciated.

  Here is the link for setting up MAC authentication using CisoSecure database. There may not be a solution for my setup, but maybe I'll keep hacking away at it and find a resolution.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b3d27.shtml

• Urgent 802.1x and MAC-Authentication Problem

  Hi all
  I want to deploy the mac- authentication in my network. and I have 3000 users. In the lab the authenticatoion for the machine takes:
  Vista : 15 - 20 seconds
  XP : 30 - 35 seconds
  Is there any way to reduce this time less than 10 seconds. My users count are 3000 will the time go bigger because of this.
  Please help me.
  Thanks and Best Regards
  amady

  With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
  Specific info is here:
  <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
  Hope this helps,

• MAC Authentication does not work

  My MAC Authentication does not work.
  I have a ACS 3.0 server set. the MAC address is set in the user name field and in the password field.
  I can ping the ACS, I can ping my AP, I can ping my client.
  I don't want WEP and I don't want LEAP just MAC. So I set my authentication to "Open with MAC" My client has WEP set to NO WEP and authentication to OPEN
  I have the latest drivers for both AP and my 350 Client.
  I see that the client is associating and disassociating back and forth non stop. My AP log is full with the following message:
  Station 0009.7c9f.xxxx Authentication failed
  this is my config:
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname GOM_1200IOS
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  server 10.1.2.197 auth-port 1812 acct-port 1812
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa group server radius wlccp_rad_infra
  aaa group server radius wlccp_rad_eap
  aaa group server radius wlccp_rad_leap
  aaa group server radius wlccp_rad_mac
  aaa group server radius wlccp_rad_any
  aaa group server radius wlccp_rad_acct
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authentication login wlccp_infra group wlccp_rad_infra
  aaa authentication login wlccp_eap_client group wlccp_rad_eap
  aaa authentication login wlccp_leap_client group wlccp_rad_leap
  aaa authentication login wlccp_mac_client group wlccp_rad_mac
  aaa authentication login wlccp_any_client group wlccp_rad_any
  aaa authorization exec default local
  aaa authorization ipmobile default group rad_pmip
  aaa accounting network acct_methods start-stop group rad_acct
  aaa accounting network wlccp_acct_client start-stop group wlccp_rad_acct
  aaa session-id common
  enable secret xxxxxx
  username Cisco password xxxx
  ip subnet-zero
  iapp standby timeout 5
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption key 1 size 40bit 7 9DF1C10BF11A transmit-key
  ssid GOM_1230
  authentication open mac-address mac_methods
  speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
  rts threshold 2312
  channel 2462
  station-role root
  no cdp enable
  dot1x reauth-period server
  dot1x client-timeout 600
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no cdp enable
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 172.16.43.45 255.255.240.0
  no ip route-cache
  ip default-gateway 172.16.47.254
  ip http server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
  ip radius source-interface BVI1
  access-list 700 permit 000a.b74c.e8c9 0000.0000.0000
  access-list 700 permit 0009.7c9f.d6e0 0000.0000.0000
  access-list 700 permit 0006.25b1.2f79 0000.0000.0000
  access-list 700 permit 000a.b78b.2d19 0000.0000.0000
  access-list 700 permit 000b.5f6e.77c8 0000.0000.0000
  access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
  access-list 701 deny 000b.5f6e.77c8 0000.0000.0000
  access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
  no cdp run
  snmp-server community GOM_AP1230 RO
  snmp-server enable traps tty
  radius-server local
  group AP1230
  user brazil nthash 7 1249523544595F517972017912677A3055325A25770B08770D5C5B4E4478087605 group AP1230
  radius-server host 10.1.2.197 auth-port 1812 acct-port 1812 key 7 00233C2B
  radius-server retransmit 3
  radius-server attribute 32 include-in-access-req format %h
  radius-server authorization permit missing Service-Type
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 5 15
  end
  What is wrong?
  Thanks very much for your help.

  I figured out what was wrong so thank you for stopping by.
  I will publish the config for other people to see.
  Regards,

• AP Authentication via ACS.

  Hi All,
  Just a basic question regarding MAC based authenitcation of AP with ACS.
  The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorised to be used in network then only it gets the IP address from DHCP.
  My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Datacenter. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.
  When working in a LAN I know its possible, but how will it work over the WAN.
  Pls. suggest ASAP.
  Thanks in Advance.
  Regards
  Harish

  Harish:
  As you may know that traffic between WLC and APs is encapsulated in CAPWAP tunnel.
  The information insdie the CAPWAP should tell the WLC what MAC address the AP uses.
  CAPWAP RFC metniones that you can do AP authorization by two ways:
  - with certificates
  - with PSK.
  The standards does no imply what the PSK should be, however, Cisco seems to use it to be the mac address of the AP when the ap authorization is enabled. RFC recommends to use mac address of AP as PSK.
  2.4.4.4.  PSK Usage
     When DTLS uses PSK Ciphersuites, the ServerKeyExchange message MUST
     contain the "PSK identity hint" field and the ClientKeyExchange
     message MUST contain the "PSK identity" field.  These fields are used
     to help the WTP select the appropriate PSK for use with the AC, and
     then indicate to the AC which key is being used.  When PSKs are
     provisioned to WTPs and ACs, both the PSK Hint and PSK Identity for
     the key MUST be specified.
     The PSK Hint SHOULD uniquely identify the AC and the PSK Identity
     SHOULD uniquely identify the WTP.  It is RECOMMENDED that these hints
     and identities be the ASCII HEX-formatted MAC addresses of the
     respective devices, since each pairwise combination of WTP and AC
     SHOULD have a unique PSK.  The PSK Hint and Identity SHOULD be
     sufficient to perform authorization, as simply having knowledge of a
     PSK does not necessarily imply authorization.
     If a single PSK is being used for multiple devices on a CAPWAP
     network, which is NOT RECOMMENDED, the PSK Hint and Identity can no
     longer be a MAC address, so appropriate hints and identities SHOULD
     be selected to identify the group of devices to which the PSK is
     provisioned
  you may spend more time reading the CAPWAP RFC if you are interested
  CAPWAP RFC: http://www.ietf.org/rfc/rfc5415.txt
  Hope this answers your concern.
  Amjad

• ISE - Machine + user authentication

  I've searched forum, community but I couldn't find exactly what I need:
  I have a client that want's to use two step authentication on wireless: first machine authentication to make sure that device is on the domain and then username/password authentication.
  Now, I've read about MAR, EAP chaining, and I understood it all, only thing I didn't understand is:
  If I configure ISE to authenticate machine, it will allow limited access to DC (for example).
  Then, after that AuthZ profile is applied, what will do new authorization? My understanding is once MAR is done, AuthZ profileis applied and authorization is finished.
  Now, I am not asking about turning on laptop, getting PC on the network, then logging in and then providing the user/credentials, etc. I am asking for this scenario:
  How ISE policy and AuthZ profile should look like, for example, I come in the office, my wireless card is disabled, I login to my laptop, then I notice that my wireless card is disabled and now I enable it. I need to have Machine authentciation happening at that point + prompting user for username/password to complete registration on wireless.
  NAM is already refused by client, so I need something that will work on plain Windows 7.
  Thanks.

  Hello Align-
  In your post you are referring to two completely separate and independent solutions:
  1. MAR
  2. EAP-Chaining
  MAR only happens when the machine first boots up and the host presents its machine domain credentials. Then the machine MAC address is saved in ISE. The MAC is preserved in ISE as long as configured in the machine timer. Keep in mind that if let's say a computer was booted while connected on the wired network, only that MAC address will be authenticated. If the user moves to wireless, the connection will be denied as ISE will not have any records of the wireless MAC. Along with all of that, you will need another method (usually PEAP) to perform the user authentication. Usually this method is not a very good one to implement due to the issues listed
  EAP-Chaining on the other hand utilizes EAP-FAST and it s a multi-phase method during which both machine and user information is passed in a secured TLS tunnel. For that you need to implement Cisco AnyConnect as it is the only software supplicant that supports it at the moment. For more info you might wanna look into Cisco's TrustSec guide:
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf
  I hope this helps!
  Thank you for rating!

• 802.1x + Machine Account Authentication = Vulnerability?

  Hello forum,
  I'm trying to determine the security implications of utilizing 802.1x authentication/authorization with the "Domain Computers" option selected within ACS. The problem I am having with this scenerio is this:
  1) Client machines are authenticated to the LAN or WLAN based on AD machine account name/password if "Domain Computers" is selected.
  2) Windows XP machines will authenticate 802.1x using the machine account name/password by default upon initial boot and upon log-off.
  3) Once a machine boots up or someone logs off, the 802.1x port status is placed into "Authorized" using machine account name/password credentials.
  4) If you log onto a machine after the port goes "Authorized" (from #3) with a local user or local administrator account you gain "free access" to the network for < 60 seconds (I've done this many times now and you do infact gain "free access.")
  So then the following scenerio comes into play, what if:
  1) Someone steals a laptop.
  2) Compromises a local user or local administrator account on said laptop.
  3) Places the laptop onto either the wired or wireless network.
  4) Reboots the box.
  5) Logs in with local user or local administrator and launches a script (they will have free-access for < 60 seconds before a re-authentication is forced).
  Anyone famliar with this, or any white papers/KB's is/are greatly appreciated!
  Thanks,
  Jeremy

  A small clarification here about your statement:
       "The PC will try machine authentication once it boots up. Once  is entered, the PC initiate 802.1x  authentication by sending     EAPOL start. The AP or switch should change  the state of the PC from authenticated to authenticating. Thus, the PC  should not get network     connectivity unless it passes user authentication  again. If you use a local account to logon to the PC, the PC should not  pass 802.1xauthentication.      At least, that's how Cisco equipment works."
       This is not up to Cisco equipment, the AP has no idea the PC is switching between machine and user mode unless the supplicant on the PC restarts the authentication (via EAPOL-Start as you stated), this is wholey up to the supplicant installed on the PC.  So with this < 60 second window that is being seen here it is most likely due to slow load of the user space/desktop.
  An option to prevent this would be to use a supplicant that can start before login (such as the Cisco Secure Services Client) that way the user is authenticated before they have access to the desktop.
  --Jesse

• 802.1x Machine Based Authentication - Password expired

  Hi,
  I would like to ask 1 question about machine based authentication on 802.1x.
  1.We are deploying 802.1x on wired user.
  2.Some user are using machine based authentication in order to authenticate their port.
  3.However, after the user password expired, the user need to change their password and then the machine are unable to authenticate. The error i got is "External DB user invalid or bad password". Then switch assign the user to Guest Vlan
  4.But, once i plug out the cable and plug in back the UTP cable after the user login, the switch will assigned the user to proper VLAN.
  5.User wont be able to access their share drive n etc since the guest vlan only have access to the internet.
  5.Anyone have any idea what is happening? It seems that the machine is sending the old password during authentication process to the ACS.
  Anybody can shed a light to me. Thanks.

  This should certainly work with that rev. On your passed (or failed) auth log, you should see the username of the session authenticating. If you see the FQDN of the machine, this is a machine auth. Also, machine-auth typically executes before the GINA is displayed to the user. It sounds like machine-auth is failing and we need to determine why. Has this machine been away from the domain for long?
  This also might help:
  http://supportwiki.cisco.com/ViewWiki/index.php/802.1x_authentication_with_Cisco_Secure_Access_Control_Server_fails_to_work_for_Microsoft_Windows_XP_PC

• Sg300 - 802.1x NPS - mac authentication not working

  I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
  Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
  My current port configuration on the SG300:
  interface fastethernet1
   dot1x guest-vlan enable
   dot1x max-req 1
   dot1x reauthentication
   dot1x timeout quiet-period 10
   dot1x authentication 802.1x mac
   dot1x radius-attributes vlan static
   dot1x port-control auto
   switchport mode access
  On the Windows NPS server there is following error to see:
  Authentication Details:
      Connection Request Policy Name:    Secure Wire
      Network Policy Name:        -
      Authentication Provider:        Windows
      Authentication Server:        myradius.local
      Authentication Type:        -
      EAP Type:            -
      Account Session Identifier:        30353030399999
      Reason Code:            1
      Reason:                An internal error occurred. Check the system event log for additional information.
  There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...

  Still not working.
  I tried different settings and (also older) software versions on the SF302-08P.
  Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
  The NPS reports following error:
  Schannel:
  The following fatal alert was received: 40.
  EventID 36887
  If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
  ... is this a bug on the SF302-08P?

• How to do .1x port based network access authentication through ACS

  How to do .1x port based network access authentication through ACS.

  Hi,
  802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
  In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
  To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
  To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
  Regards,
  Kush

• WPA2 and mac authentication

  I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?

  Hi Jared,
  you can do this by setup the following:
  Webinterface:
  1. Securtiy -> Server Manager
  Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
  2. Securtiy -> Advanced Securtiy
  In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
  IOS Interface from config mode:
  aaa group server radius rad_mac
  server 10.20.40.37 auth-port 1645 acct-port 1646
  and
  aaa authentication login mac_methods group rad_mac
  or
  aaa authentication login mac_methods group rad_mac local (for local fallback)
  I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
  Better use a setup with EAP-FAST or PEAP!
  I hope that helps.
  Best regards,
  Frank
  I hope that helps.