PEAP authentication with MAC filtering

Similar Messages

• 802.1x deployment with MAC filtering

  Hi All
  I read "Enhance your 802.1x deployment security with MAC filtering" on NAP blogs with link as below.
  http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx
  I am wondering this tip might not be correct somehow and would like to know how to imployment it correctly.
  First of all, there is only a "Verify Caller ID" field in "dial-in" tab of user properties, not "Calling Station ID". I tried to add MAC address in this field and the authenticaiton works.
  As the description of the tip, we can add multiple MAC addresses in that field but it doesn't work. I tried to use
  "AA-BB-CC-DD-EE-FF | BB-AA-FF-EE-DD-CC" format as multiple MAC address and IAS always responce error with wrong calling staiton ID. Does anyone know how to correctly add multiple MAC addresses in "Verify Caller ID"?
  Thanks

  Hi Sam
  Thank you for your reply.
  I would like to explain why I want to use multiple MAC addresses authenticaiton for an account on a singel AD.
  Genereally, 802.1X can be imploymeted for wired and wireless authenticaiton on many network devices in a company or entriprise. An employee in a company or entriprise is supposed to have only one account but might have multiple devices such as a PC, laptop, or PDA. For the convenience of authenticaiton imployment, I think I should only create an account for that person and make a MAC filtering for any devices he is autrorized to use.
  I had tried the first example you mention but it didn't work. The switch and wireless gateway I used for test only sent one MAC address (calling station  ID) to AD and AD only recognized the first MAC address of all MAC addresses I key in. Of course, your example can be succesful if the device sends multiple MAC addresses simultaneously because AD thinks the those "MAC addresses" is just one string or one calling staiton ID. But that's is not what I want.
  Anyway, I will try the second way you suggest.
  Thanks a lot.

• Domain authentication with mac address restrictions

  I am in a branch office and I have one WLC 5508 and one ACS 4.2 with three WLANs:
  WLAN1 with SSID1: for company computers and laptops
  WLAN2 with SSID2: for ipads and tablets
  WLAN3 with SSID3:  for guests
  I am asked to configure WLAN2 as “WLAN2: Provides the Wi-Fi connectivity to ipads and tablets, with back end security using domain authentication with mac address restrictions.

  You would need to create a seperate policy and be able to have a seperation between the two policies... It's kind of hard to explain, but you would have for example:
  Policy 1:
  Wireless user on this SSID WLAN1
  AD on this AD Group (Machine)
  Policy 2:
  Wireless user on this SSID WLAN 2
  AD on this AD Group (USer)
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• WLC 5760 multiple SSIDs with MAC filtering

  Dear All,
  I am implementing a wireless network with 5760 WLCs. The client requires a few SSIDs with MAC-based authentication. So I created different MAC filters using the commands "aaa authorization network MAC_FILTER01 local", "aaa authorization network MAC_FILTER02 local" etc
  These filters are bound to different SSIDs using the commands "mac-filtering MAC_FILTER01" "mac-filtering MAC_FILTER02" etc. and users are added to their required MAC filters using the commands "username <mac-address> mac aaa attribute list MAC_FILTER01", "username <mac-address> mac aaa attribute list MAC_FILTER02" etc.
  Now I am facing a serious issue - users belonging to any one MAC filter can connect to the all SSIDs. It seems like the MAC addresses added to the controller under different filter names are going to a common database, thereby providing access to users to all SSIDs irrespective of their MAC filter.
  Is it a limitation of local database of 5760? Has anyone faced the same issue? How can I implement independent MAC filters bound to different SSIDs?
  Thanks,
  Arun John

  Hi Arun,
  this feature currently does not exist on the  5760. it is due to release in one of the MR's of 3.6
  -Joseph

• Aironet 600 with Mac Filtering and a switch..

  How does the Aironet 600 handle Mac Filtering if I were to connect a switch to port 4 on the back ("Secured" network port). Does it authenticate each MAC or does it do somthing similar to how 802.1x with multi-host works, the first mac authenticates and then the port's wide open? My use-case here is a printer at a remote home-office. The printer doesn't have a supplicant in it so I need to use mac filtering. Thanks.

  MAC authentication is all I use for my OutStationed workers.  No wifi, just the rlan.  Since the rlan is configured for DHCP only, no IP gets passed until MAC auth occurs.
  When Cisco packaged this up, they said 4 is enough..  IF you use an un-managed (non-cisco) switch. 
  I had a need for 2 workstations and 2 digiports..  SOP sys a managed switch..  oops.  the switch consumed 2 MAC's right off the top.. 1 for itself and 1 for each vlan.
  After enablilng 2 rlans, and configuring a pair on different networks, we discovered that they were bridged in the 602 (or somewhere).
  We ended up switching out the 602 for an ASA5505

• 802.1x authentication with mac address

  Hi guys,
  there is a strange requirement from one of our customer,
  they want us to do 802.1x with mac address authentication and they dont want the pop-ups which ask
  for username, password and domain.
  is it possible??
  can i avoid popping up the username password with 802.1x and that too with mac address???
  Any help would be greatly appreciated
  Thanks
  Jvalin

  Hi,
  The feature which you are looking for is possible in case of wired 802.1x. This feature is called as the MAC-Auth Bypass and is done mostly if the client machine is not 802.1x capable. However nowerdays it is used even if the machine is 802.1x capable.In this we enter the MAC address of the machine in the user database e.g. Active Directory. When you connect the client machine to the Switch, if we have MAC-Auth Bypass enabled on the port, it would take the MAC address of the machine as the username without any prompt for username and password.
  A windows server admin can easily push a group policy which disables the 802.1x on the client machine and it would only respond to the MAC-Auth Bypass.But first you would have to make sure your switch has the Mac-Auth Bypass in the IOS.
  For more information, you can go to http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
  Regards,
  Kush

• Web Auth with Mac Filtering

  I am trying to setup a scenario where a user logs in via Web Auth and witha  successfull connection the Mac Address is remembered for 7 days. That way if the user connects again during the course of 7 days they aren't required to authenticate via web auth again they just get access. After 7 days they will need to login again through the web auth. Similar scenario to what you see at a Hotel wireless network. Anyone know how I would go about setting up the dyanmic mac filtering and set the timer for 7 days? With that said I want it to be for a single SSID.

  well, it's not possible with just the WLC.
  You can do it, but you need to have a way to pull the MAC address from the webauth page, and insert that into a LDAP db, which you control the age out process in.
  Then on a subsequent visits they get mac-authed instead of having to re-accept the page.
  in the webauth config you would check the On MAC filter failure box.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Client unable to connect AP with MAC filtering

  I need some help from you, I found problem that some clients cannot connect to AP( but some client can connect as normal). As I checked from logs, I see a lot of messages as below:
  Nov 18 01:13:55.760: %DOT11-4-MAXRETRIES: Packet to client 0023.68be.1c88 reached max retries, removing the client
  Nov 18 01:13:55.760: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.68be.1c88 Reason: Previous authentication no longer valid
  Nov 18 01:13:55.763: %DOT11-4-MAXRETRIES: Packet to client 0023.68be.1c88 reached max retries, removing the client
  After that I tried to reload AP and then it can connect as normal but I found the log that it roaming to another AP in the same SSID as log below:
  Nov 21 08:52:12.147: %DOT11-6-ROAMED: Station 0023.68be.1c88 Roamed to 003a.99e6.6860
  Nov 21 08:54:33.855: %DOT11-6-ROAMED: Station 0023.68be.1c88 Roamed to 003a.99e6.6860
  Nov 21 09:04:34.495: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  0023.68be.1c88 Reassociated KEY_MGMT[NONE]
  Nov 21 09:04:39.097: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.68be.1c88 Reason: Sending station has left the BSS
  Nov 21 09:04:39.103: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  0023.68be.1c88 Reassociated KEY_MGMT[NONE]
  Nov 21 09:04:42.309: %DOT11-4-MAXRETRIES: Packet to client 0023.68be.1c88 reached max retries, removing the client
  Nov 21 09:04:42.309: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.68be.1c88 Reason: Previous authentication no longer valid
  Nov 21 09:04:42.315: %DOT11-4-MAXRETRIES: Packet to client 0023.68be.1c88 reached max retries, removing the client
  I've check from CISCO document, this problem may be from Radio Interference, so please help to investigate and find out the root cause that why some clients cannot connect to AP at that time and how to prevent this problem occurred again.
  Thank you in advance.

  Hi @Krish1840 , and thanks for the reply!
  Do the pages come out blank when making a copy as well?
  I would suggest deleting the printer from your print system, using this document: Uninstalling the Printer Software.
  Once you have deleted it, I would suggest verifying and repairing the disk permissions: About Disk Utility's Repair Disk Permissions feature.
  I would also suggest running your Apple updates:  OS X: Updating OS X and Mac App Store apps
  After the updates, I would recommend readding the printer via OS X v10.9 Mavericks: Installing and Using the Printer on a Mac
  Good luck and please let me know how it goes!
  Please click “Accept as Solution " if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos, Thumbs Up" on the right to say “Thanks" for helping!
  Jamieson
  I work on behalf of HP
  "Remember, I'm pulling for you, we're all in this together!" - Red Green.

• Safari authentication with web filters

  safari cant authenticate with web filter agent.  running active directory

  Im having the same issue at work.
  see my post and let me know if it is kind of the same issue.
  https://discussions.apple.com/message/16418518#16418518
  thanks,

• WLC 4402 Web Authentication, Mac Filtering and Layer 2 Seciruty

  Hi All,
  I have configured web authentication and Mac filtering on WLC 4402 for my wireless network and its working fine. I wants to configure layer 2 security for the same Wireless network without pre shared key. Could you please advice how to configure layer 2 security with web authentication withour preshare key.
  Is there any security issue with web authentication and Mac FIltering only? My concern in my wireless network shows open.
  Thanks,
  Kashif

  Hi,
  if you have a ACS, then you can do Web auth Splash page!!! Please refer to the below doc!!
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080956185.shtml
  Lemme know if this answered ur question!!
  Regards
  Surendra

• 802.1x authentication with ACS 4.1 for MAC OSX

  Hi,
  I simply wanted to know if it's possible to have 802.1x authentication with MAC OSx on ACS Plateform 4.1?
  If yes, what pre-required on ACS and MAC OSx? Methods of authentification which are recommended ?
  I'm sorry, but i don't find documents which show validated test on 802.1x implementation method on ACS 4.1 with MAC OSx supplicant.
  Thanks in advance
  Best regards
  Thanks

  Yes, Refer to the below DOC
  http://support.apple.com/kb/HT2717
  Port settings and ACS configuration remain the same as you do it for windows based clients

• WPA PSK doesn't work with MAC Authentication. AP1231G

  Hi, yesterday I've installed an Aironet Access Point 1200 series AP1231G for the first time.
  I'd like to use MAC Authentication with an WPA Pre-Shared Key. But it doesn't work. If I choose "Open Authentication with MAC Authentication", I can't type an WPA Pre-Shared Key. The system doesn't keep it.
  It only works with "Open Authentication" without MAC-Filter.
  Settings:
  Encryption Manager: TKIP
  SSID Manager
  1. Client Authentication: Open Authentication with MAC Authentication
  2. Key Managemnet: Mandatory WPA + WPA Pre-Shared-Key
  If I type in a Pre-Shared-Key and click on "Apply", the Pre-Shared-Key get loss.

  Tina,
  In Cisco IOS releases 12.3(4)JA and later, you cannot enable both MAC-address authentication and WPA-PSK.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00804e7d09.html#wp1034916

• OEAP Remote LAN & MAC Filtering

  I am currently trying to set up the Remote LAN feature with MAC Filtering with WLC & ISE. I want to use Central Web Authentication, but the client connected to the wired port 4 of the OEAP does not get redirected. On the WLC I see the correct web redirect URL and ACL being applied (client details), but the redirect on the client itself is not taking place. The RADIUS NAC state of the wired client is also shown as "RUN" instead of the expected "CENTRAL_WEBAUTH_REQD". No anchoring is configured for the Remote LAN, since it is not supported in this WLC software release.
  Anybody have any ideas? Is this supported at all? The redirect is working fine with wireless on the OEAP.
  WLC 5508 7.4.110.0
  AIR-OEAP602I-E-K9
  ISE 1.2.0.899

  You are trying web-auth redirect on rlan correct? On remote lan 44 config:
  Remote LAN Configuration
  Remote LAN Identifier............................ 44
  Profile Name..................................... HomeOffice_RemoteLAN_Port4
  Status........................................... Enabled
  MAC Filtering.................................... Enabled
  AAA Policy Override.............................. Enabled
  Maximum number of Associated Clients............. 0
  Number of Active Clients......................... 0
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 86400 seconds
  User Idle Timeout................................ 300 seconds
  User Idle Threshold.............................. 0 Bytes
  NAS-identifier................................... XXX-XXXXXX
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ homeoffice
  Remote LAN ACL................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Enabled
  PMIPv6 Mobility Type............................. none
  Radius Servers
     Authentication................................ 10.65.30.220 1812
     Authentication................................ 10.65.30.221 1812
     Accounting.................................... 10.65.30.220 1813
     Accounting.................................... 10.65.30.221 1813
        Interim Update............................. Disabled
     Dynamic Interface............................. Disabled
     Dynamic Interface Priority.................... wlan
  Local EAP Authentication......................... Disabled
  Security
     802.1X........................................ Disabled
     Web Based Authentication...................... Disabled
     Web-Passthrough............................... Disabled
  AVC Visibilty.................................... Disabled
  AVC Profile Name................................. None
  Flow Monitor Name................................ None
  802.11u........................................ Disabled
  MSAP Services.................................. Disabled

• About max local MAC filtering can be register in WLC 2504 and 5508

  Hi all
  My customer is considering to use WLC with MAC filtering feature (use local database not external Radius). So they are concerning about maximum local MAC filtering entries that can be register on WLC2504 and WLC5508 to buy (the number of APs is about 20, but the MAC is more than 200)
  I tried to search, but I could not find any specs mention it. If anyone knows, please help to answer
  Rgds

  I looked at this before. I want to say its maxed at 2048 regardless of the model ..
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html

• MAC Filtering via Radius not working

  Hi Folks,
  I'm having problems with MAC filtering via RADIUS.  I have a combination of a local database on the controllers and remote MAC addresses provisioned on a Cisco ACS.  My problem is that even when I've set the controllers to use Radius and I've configured the order to be local and then radius the controllers never sent an auth request to the Radius servers.  I know that Radius can work because I have another WLAN (the guest WLAN) on the same hardware that is configured to authenticate first against the local database and then against Radius and this is working fine. 
  (WiSM-slot9-1) >debug aaa all enable
  *Oct 09 08:01:44.518:       AVP[14] Called-Station-Id........................X.X.X.X (9 bytes)
  *Oct 09 08:03:21.677: Unable to find requested user entry for 6cc26b5990e5
  *Oct 09 08:03:21.677: ReProcessAuthentication previous proto 8, next proto 40000001
  *Oct 09 08:03:21.677: AuthenticationRequest: 0x18cc933c
  *Oct 09 08:03:21.677:   Callback.....................................0x10112bc4
  *Oct 09 08:03:21.677:   protocolType.................................0x40000001
  *Oct 09 08:03:21.677:   proxyState...................................6C:C2:6B:59:90:E5-00:00
  *Oct 09 08:03:21.677:   Packet contains 14 AVPs (not shown)
  *Oct 09 08:03:21.678: 6c:c2:6b:59:90:e5 Returning AAA Error 'No Server' (-7) for mobile 6c:c2:6b:59:90:e5
  *Oct 09 08:03:21.678: AuthorizationResponse: 0x38f71958
  *Oct 09 08:03:21.678:   structureSize................................32
  *Oct 09 08:03:21.678:   resultCode...................................-7
  *Oct 09 08:03:21.678:   protocolUsed.................................0xffffffff
  *Oct 09 08:03:21.678:   proxyState...................................6C:C2:6B:59:90:E5-00:00
  *Oct 09 08:03:21.678:   Packet contains 0 AVPs:
  *Oct 09 08:03:21.680: Looking up local blacklist 98d6bbde785f
  *Oct 09 08:03:21.754: Looking up local blacklist 0013ce73a9e0
  *Oct 09 08:03:21.754: Looking up local blacklist 0013ce73a9e0
  *Oct 09 08:03:21.778: Looking up local blacklist 0013ce73a9e0
  *Oct 09 08:03:21.846: Unable to find requested user entry for 6cc26b5990e5
  *Oct 09 08:03:21.847: ReProcessAuthentication previous proto 8, next proto 40000001
  *Oct 09 08:03:21.847: AuthenticationRequest: 0x18c6dcc4
  *Oct 09 08:03:21.847:   Callback.....................................0x10112bc4
  *Oct 09 08:03:21.847:   protocolType.................................0x40000001
  *Oct 09 08:03:21.847:   proxyState...................................6C:C2:6B:59:90:E5-00:00
  *Oct 09 08:03:21.847:   Packet contains 14 AVPs (not shown)
  *Oct 09 08:03:21.847: 6c:c2:6b:59:90:e5 Returning AAA Error 'No Server' (-7) for mobile 6c:c2:6b:59:90:e5
  *Oct 09 08:03:21.847: AuthorizationResponse: 0x38f71958
  *Oct 09 08:03:21.847:   structureSize................................32
  *Oct 09 08:03:21.847:   resultCode...................................-7
  *Oct 09 08:03:21.847:   protocolUsed.................................0xffffffff
  *Oct 09 08:03:21.847:   proxyState...................................6C:C2:6B:59:90:E5-00:00
  *Oct 09 08:03:21.848:   Packet contains 0 AVPs:
  I'm assuming thaty the line - Returning AAA Error 'No Server' - is significant but I have configured the Radius servers correctly but a packet trace shows no auth requests whatsoever from the controllers.  Has anyone seen this?  Anything I should be looking at?
  Thanks in advance,
  Shane.

  The bug I ran into was CSCta53985 on the WLCs.  I upgraded to 7.0 and it fixed it. The fix is available in 6.0.188. Depending on your WLC hardware, I would go to at least 7.0.116 for newer AP support, and CleanAir support.