Urgent 802.1x and MAC-Authentication Problem
Hi all
I want to deploy the mac- authentication in my network. and I have 3000 users. In the lab the authenticatoion for the machine takes:
Vista : 15 - 20 seconds
XP : 30 - 35 seconds
Is there any way to reduce this time less than 10 seconds. My users count are 3000 will the time go bigger because of this.
Please help me.
Thanks and Best Regards
amady
With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps,
Similar Messages
-
Enabling 802.1x and MAC Authentication Bypass on ACS 4.2
Hi experts,
I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
ii. If it is possible, any reference that I can check on how to configure this?
The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
Hope anyone here could help me on this.
Thanks very much,
DanielWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
Compatibility 802.1X and mac-filter from ACS
If the clients identities and mac address are stored in the same ACS server.
In WLC,could a wlan be configured layer2 security with both 802.1x and mac-filtering?
this is really a critical problem for me!
Thanks~Hi,
I am assuming you are asking if you configure a x mac of wlan client in MAC filer and the same as user naem in 802.1x ACS database as user name , could you configure it ? what is the effect?
If my understading of your queston is correct the answer is
Any wlan client will not be allowed to associate to the network unless a match is seen in mac filter in wlc.
But once that is done it will not able to access network resources unless 802.1x authentication is completed by ACS against the wlan clients user name which is again a mac address of client.
i dont see a value for doing this. except that you will block unnecessary authentication request getting to ACS by filtering it in the 1st instance.
another scenario is if you are using mac filtering also on ACS , it should be preceeded by mac filtering and then ACS authentication , as above as far as ssequence goes hence the same logic applies here.
Thanks -
Hi, I´m having some trouble to authenticate the users with EAP and MAC authentication, i´m using IAS server and the EAP authentication is working well, but when I configure the MAC and EAP authentication, it doesn´t connect to the clients.
Any idea how can I solve this problem??
ThanskI think MAC authentication is not supported in IAS , you can do MAC address filtering on AP
-
I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?
Hi Jared,
you can do this by setup the following:
Webinterface:
1. Securtiy -> Server Manager
Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
2. Securtiy -> Advanced Securtiy
In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
IOS Interface from config mode:
aaa group server radius rad_mac
server 10.20.40.37 auth-port 1645 acct-port 1646
and
aaa authentication login mac_methods group rad_mac
or
aaa authentication login mac_methods group rad_mac local (for local fallback)
I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
Better use a setup with EAP-FAST or PEAP!
I hope that helps.
Best regards,
Frank
I hope that helps. -
Sg300 - 802.1x NPS - mac authentication not working
I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
My current port configuration on the SG300:
interface fastethernet1
dot1x guest-vlan enable
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x authentication 802.1x mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode access
On the Windows NPS server there is following error to see:
Authentication Details:
Connection Request Policy Name: Secure Wire
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: myradius.local
Authentication Type: -
EAP Type: -
Account Session Identifier: 30353030399999
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...Still not working.
I tried different settings and (also older) software versions on the SF302-08P.
Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
The NPS reports following error:
Schannel:
The following fatal alert was received: 40.
EventID 36887
If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
... is this a bug on the SF302-08P? -
OS-X - 802.1x and machine authentication
Hi all
I have a customer with a large installed base of MacBooks Pro running MAC OS-X, connected via WLAN to a centralized Cisco WLC 5508. He also has installed a Cisco ACS 5.x as RADIUS server and Open LDAP as directory services.
The customer wants to do machine authentication based on cthe lients MAC addresses, which means that the ACS 5.x has to check the clients MAC address against the LDAP.
Obviously MACs are not able to send "host/" to differentiate between client- and user-authentication, which by the way works perfect.
- Does anybody have made the same experiences ?
- Has anyone managed to get this running ?
- Can anyone provide me config examples, hint or tipps ?
Everything is very much appreciated since this is an urgent request.
Many thanks in advance
Best regards
RomanHi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
Glad you found resolution with a later version of the OS.
Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400 -
802.1x and eDir Authentication
We are purchasing the Enterasys 802.1x NetSight policy manager (running on SLES 9 with OES) along with new Matrix N3 and C2 switches. We plan on utilizing 802.1x authentication on both our wired and wireless networks. We currently use NW 6.5 with BM 3.8 and NMAS RADIUS for wireless MAC authentication and it works well. I understand that BM/NMAS RADIUS does not work with 802.1x authentication.
I have read the previous two posts "How to implement a secure wireless solution (PEAP/EAP-TTLS)" and "eDirectory and 802.1x wireless authentication" Thank you Jim and others for your ideas and information.
My question is, has Novell gotten off their hands and provided a solution yet? Will they? I will look into the Funk Odyssey / Steel Belted Radius software, freeRadius, and Radiator.
Are there any other suggestions? Any changes since the above postings in January / February?
I just wish Novell were more leading edge with the new technologies. It has been quite disappointing.
Thanks,
OZ
Owen Zorge
IT Specialist III
AZ Department of Emergency and Military Affairs
602-392-7507
[email protected]Thank you for the info and link Jim. I seem to remember a session at BrainShare this year that discussed this issue. I'll also look up that presentation on the CD I just received.
I have already contacted Funk to get some information on their 802.1x client. Any idea when Novell will integrate 802.1x authentication into the NetWare Client?
Thanks again,
OZ
Owen Zorge
IT Specialist III
AZ Department of Emergency and Military Affairs
602-392-7507
[email protected]
>>> Jim Michael<[email protected]> 5/24/2005 1:55:03 PM >>>
Owen Zorge wrote:
> My question is, has Novell gotten off their hands and provided a
> solution yet? Will they?
Yes, they have. You still cannot use the NetWare RADIUS server (it's
dead), but Novell contributed code to the freeRADIUS project that lets
you do 802.1x a wee bit easier than what I had to go through.
I suggest you start here
http://www.novell.com/documentation/...ius/index.html
> I will look into the Funk Odyssey / Steel
> Belted Radius software, freeRadius, and Radiator.
Understand that you will most likely need at least the Odyssey *client*
(supplicant) for your Windows boxes. The 802.1x supplicant that ships in
WindowsXP works, but doesn't have enough features for most shops. This
has nothing to do with Novell and is purely a client-side issue.
Jim
NSC SYsop -
Mail setup and .mac authentication
Baffled… I have been trying to setup my Mail account. I have an active .Mac account which I can access via the internet, so I know it works. I am trying to use Mail as my automatic mail for sending Aperture photos and iWeb announcements.
In going through the setup procedures in Mail I enter all the required information and the application tries to authenticate my .Mac account… it spins and spins… then an error message is received indicating “failure to connect to .Mac”. I have verified my settings with a friend who uses the same ISP, Mail and .Mac and all our settings are the same.
Is this a keychain issue, do I need to reset permissions?
Why can I access my .Mac account through Safari yet the computer can’t do it automatically?
Thanks for anyone’s assistance.So you get mail from your .Mac account not via IMAP,
but via POP3? Or what do you mean by "as for IMAP I
am not using that"?
And no, I did not talk about pinging the server
(which just sends ICMP echo requests), but about
trying to connect to the server using telnet. That's
a real big difference.
I only get mail via the web ~ Safari ~ Yahoo... .mac mail can be received and used onlt as a web application, Mial does not connect via .mac.
The problem is .Mac authentifcation when setting up a new Mail account, error message says can not verify/connect to .Mac server, yet I can access .Mac via the internet.
IMAP ~ in my system preferences for Accounts/Advanced I do not sync to any IMAP mailbox and the greyed out port is 143 nad SSL is not checked.
Terminal ~ yes it logged in, sorry if I used the wrong term "ping"... so yes it did connect. -
WLC Flexconnect with AAA and MAC authentication
hi,
i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
my question is i am having Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
one more question,
is it possible to make each AP seperate MAC filters On the WLC.
thanks
cyrilIf you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
Hope this clears you doubts!!!
Note: Please do not forget to rate and accept as solution incase the post is valid. -
AP1242AG WPA and MAC Filtering problem
Hello,
Presently I managed some AP1242AG in ofiice area
I need implement WPA and MAC filtering.
I found what :
In IOS 12.2(13)JA branch IOS and before, MAC authentication was supported
in conjunction with WPA.
In 12.2(15)JA and above, configuring MAC authentication with WPA does not
work. MAC Authentication passes everyone through.
I can't found IOS 12.2(13) in Cisco site.
Can anybody help me and give link to download 12.2(13)JA ?
Thanks.Also when I acivete MAC filterring
access-list 700 deny 0024.d7ed.2204 0000.0000.0000
access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
dot11 association mac-list 700
dot11 ssid zero!v
vlan 390
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
wpa-psk ascii 7 14531708030A2E1A3108212127015644
The WPA is working but MAC filtering not reject
IOS Ver.
Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.3(11)JA1, RELEASE SOFTWARE (fc2) -
Wireless Guest and mac authentication
Hi all,
I want to setup a wifi guest network with mac based authentication.
I already have the guest anchor controller and the remote wlc controller (and the mobility tunnel) up and running.
However, i am uncertain where i have to program the mac addresses: on the remote wlc or on the guest controller ? (for local database mac)
It seems my authentication only works if i program the mac address of the 'remote' wlc (the wlc holding the AP).
This is a pitty, as i was hoping to centralise all "appoved" mac addresses on the guest controller and not on each individual wlc seperatly.
Also, suppose i want a radius server to validate the mac address. Which controller is going to sent the radius request ? the wlc controller
managing the AP or the guest anchor controller ?
Does the remote wlc also need to be configured with "Layer2 security: none"+"mac authentication" (the same as the anchor controller) or can i put "Layer2:none" and put the anchor controller on "Layer2: none"+mac authentication ?
regards,
GeertHi Geert,
The rule is straightforward : layer 2 is handled by foreign WLC (one holding the AP) and layer 3 handled by the anchor (the guest).
This means the anchor WLC handles the dhcp/ip address, it handles the web authentication etc ...
But only the foreign WLC knows which AP the client is associated to, it's the only one to have layer 2 information so that's the one doing layer 2 authentication (wpa psk or mac filtering).
The way to "centralize" for you would be to have the mac addresses on a radius server or to push the mac addresses on the controllers via WCS.
Hope this clarifies,
Nicolas
===
Don't forget to rate answers that you find useful -
Cisco aironet 1040: create wireless with wpa2 and mac authentication
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanks
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanksap#show configuration
Using 2085 out of 32768 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid Svez
authentication open mac-address mac_methods
authentication key-management wpa version 2
username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
username 00907a0f2a55 autocommand exit
username administrator privilege 15 password 7 033449040A0620425A0D15564F42
username 0025d3db778b password 7 055B565D74481D0D1B52404A09
username 0025d3db778b autocommand exit
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid Svez
antenna gain 0
station-role root
world-mode legacy
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
end
ap# -
Hello all
WLC Appliance supports Local MAC Authentication, http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#conf
Does Virtual WLC support this too?
Thanks
FrancoHello, Franco.
Have you checked the data sheet for the Cisco Virtual WLC's security Standards? Check this link: (http://cs.co/9007qz7W).
Are you planning to switch from a WLC appliance to a virtual?
Kind regards. -
E1200 - Ports not working and mac filtering problem
If there was a way to give negative stars to this router, I would. As it is, the minimum rating I can give this product is one star, and that's one star too many.
I was upgrading from the WRT54G, which is an ugly thing to look at, but a reliable workhorse nonetheless. I turned that in to a downstream switch in my comms hub.
On the E1200, I flashed the latest firmware, used different Cat5 cables, and different laptops before committing to hating this product.
The first time I reached out to Amazon, the Amazon rep gave me a Cisco number to call. Turns out, that's some shady mortgage refinance hotline. Try it for yourself! 1-800-666-1771.
Now, the rant -
1. Two out of four wired LAN ports don't work: What can be the fix for this?! The activity lights on ports 3 and 4 blink and suggest data transfer is taking place, but the wired laptop simply can't acquire an IP address and access the internet. Same result when I connect my Panasonic Blu-Ray player to ports 3 and 4. None of the Viera Cast features load.
2. MAC filtering unreliable: The wireless routing works somewhat reliably, if and only if, one settles for the most basic security. If I only choose a password and WPA2 protocol, things work fine. If I add another layer of security (in my case, enabling MAC filtering and only PERMITTING gateway to listed MAC IDs), things break down. As soon as I disable MAC filtering, wireless access to authenticated clients is restored.
3. Cisco customer service: The censored world we live in, compels me to criticize politely. TERRIBLE. Cisco website is unintuitive, and frustrating. There's no easy way to register your purchased product. The Cisco "registration" is intentionally misleading and deceptive. For all intents and purposes, it's just an information gathering tool for Cisco. Don't bother registering there, unless you love the idea of storing your personal information on their servers. Their phone-based customer service is apathetic and uninterested. My rep was so distrusting of my intelligence and motor control, that he simply wouldn't believe that I had selected "PERMIT" and not "PREVENT" as the option under MAC filtering. After he asked me the same question for the fourth time, I raised my voice, and he gave up the idea of checking for the fifth time.
However, this review is a tale of two companies. I reached out to Amazon again. This time, I got a rockstar in the shape of Leanne C! She was incredibly helpful, and understanding. What's more, she set up my return without any hassle and this Cisco dud is on its way back. I'm a big fan of Leanne's and my confidence in Amazon is restored.
I'm sure that i received a lemon. I've never had problems with Linksys products. Maybe others' experience is different from mine.In your case as port numbers 1 and 2 does not work, what you could have done a loop back test. To perform a loop back test you need to take an ethernet cable, connect one end of that cable to internet port and the other end to the non-working port on the router. If you get the led to glow on both internet and the respective ethernet port that indicates that the port is working fine.
It could also be a sychronization issue between the above mentioned lan ports and the lan card of your computer. As a part of trouble shooting you can try to reduce the card speed of your lan card. Following are the steps to reduce the speed of your lan card.
START--> right-click My Network Places and click Properties
right-click on the device manager and click properties
Click on the CONFIGURE button
Select the ADVANCED tab and in the box under the header property select "speed and duplex" and change the value on the right to 10 mbps half duplex. A restart would be recommended after performing these steps.
In the second half you said that after enabling the mac filter option the internet breaks down. Here, do you mean to say that the computer
gets disconnected from the wireless network or it stays connected with a valid IP address but without an internet connection.
Well, it is an unusual issue however you could have reset and reconfigure the router as you got the latest firmware upgraded on it.
Steps to reset the router:
Push the reset button on router for 30 seconds, turn off the router wait for 30 seconds and then power it on. Power light should blink when you perform the reset process.
Maybe you are looking for
-
SGD Exchange Rate Difference JE appears in Customer Aging Report
Dear Experts, SAP Version: 8.81 Local Currency: SGD We perform Exchange Rate Difference for a USD BP to calculate the unrealized gain/loss during month-end, JE created successfully. Next, we go to Customer Aging Report and select this USD BP. When i
-
Using Acrobat XI Pro on Macbook
I just purchased/downloaded Acrobat XI Pro to my Macbook Pro. It doesn't appear in my applications and when I try to open a file with it, I get a message that the computer doesn't support windows based apps. I checked before I downloaded that the m
-
Popup ads and windows showing in Safari
Hi all, it has been few weeks that Safari started to show popup ads. Both the one in page and the ones creating a new window (tab since I use Glims). I wonder because they all are in Italian (I am in Italy indeed). I never had them before. Did they f
-
hey guys i trust you are well .my phone has a problem where it says searching in the top left corner where my service providers name is supposed to be ,it has done this before i fix it by connecting to itune on my pc this time it got stuck in setup m
-
Question about Crystal Reports 4.0 and "cross database joins"
Hi everybody, in Crystal Reports 2008 we could use the cross database joining feature to put two or more BEx queries via MDX into one report and join them within Crystal Reports. We know that this might lead to performance problems but for some scena