Urgent 802.1x and MAC-Authentication Problem

Similar Messages

• Enabling 802.1x and MAC Authentication Bypass on ACS 4.2

  Hi experts,
  I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
  i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
  Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
  ii. If it is possible, any reference that I can check on how to configure this?
  The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
  Hope anyone here could help me on this.
  Thanks very much,
  Daniel

  With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
  Specific info is here:
  <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
  Hope this helps,

• Compatibility 802.1X and mac-filter from ACS

  If the  clients identities and mac address are stored in the same ACS server.
  In WLC,could a wlan be configured layer2 security with both 802.1x and mac-filtering?
  this is really a critical problem for me!
  Thanks~

  Hi,
  I am assuming  you are asking if you configure a x  mac of wlan client in MAC filer and the same as user naem in 802.1x ACS database as user name , could you configure it ? what is the effect?
  If my understading of your queston is  correct the answer is
  Any wlan client will not be allowed to  associate to the network  unless a match is  seen in mac filter in wlc.
  But once that is done  it will not able to access  network resources  unless   802.1x authentication is  completed by ACS  against the wlan clients user name which is again a mac  address of client.
  i dont see a value for doing this. except that you will block  unnecessary authentication request getting to ACS  by filtering it in the 1st instance.
  another scenario is  if you are using mac filtering also on ACS , it should be preceeded by mac filtering and then ACS authentication , as above as far as  ssequence goes hence the same logic applies here.
  Thanks

• IAS and MAC authentication

  Hi, I´m having some trouble to authenticate the users with EAP and MAC authentication, i´m using IAS server and the EAP authentication is working well, but when I configure the MAC and EAP authentication, it doesn´t connect to the clients.
  Any idea how can I solve this problem??
  Thansk

  I think MAC authentication is not supported in IAS , you can do MAC address filtering on AP

• WPA2 and mac authentication

  I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?

  Hi Jared,
  you can do this by setup the following:
  Webinterface:
  1. Securtiy -> Server Manager
  Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
  2. Securtiy -> Advanced Securtiy
  In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
  IOS Interface from config mode:
  aaa group server radius rad_mac
  server 10.20.40.37 auth-port 1645 acct-port 1646
  and
  aaa authentication login mac_methods group rad_mac
  or
  aaa authentication login mac_methods group rad_mac local (for local fallback)
  I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
  Better use a setup with EAP-FAST or PEAP!
  I hope that helps.
  Best regards,
  Frank
  I hope that helps.

• Sg300 - 802.1x NPS - mac authentication not working

  I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
  Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
  My current port configuration on the SG300:
  interface fastethernet1
   dot1x guest-vlan enable
   dot1x max-req 1
   dot1x reauthentication
   dot1x timeout quiet-period 10
   dot1x authentication 802.1x mac
   dot1x radius-attributes vlan static
   dot1x port-control auto
   switchport mode access
  On the Windows NPS server there is following error to see:
  Authentication Details:
      Connection Request Policy Name:    Secure Wire
      Network Policy Name:        -
      Authentication Provider:        Windows
      Authentication Server:        myradius.local
      Authentication Type:        -
      EAP Type:            -
      Account Session Identifier:        30353030399999
      Reason Code:            1
      Reason:                An internal error occurred. Check the system event log for additional information.
  There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...

  Still not working.
  I tried different settings and (also older) software versions on the SF302-08P.
  Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
  The NPS reports following error:
  Schannel:
  The following fatal alert was received: 40.
  EventID 36887
  If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
  ... is this a bug on the SF302-08P?

• OS-X - 802.1x and machine authentication

  Hi all
  I have a customer with a large installed base of MacBooks Pro running MAC OS-X, connected via WLAN to a centralized Cisco WLC 5508. He also has installed a Cisco ACS 5.x as RADIUS server and Open LDAP as directory services.
  The customer wants to do machine authentication based on cthe lients MAC addresses, which means that the ACS 5.x has to check the clients MAC address against the LDAP.
  Obviously MACs are not able to send "host/" to differentiate between client- and user-authentication, which by the way works perfect.
  - Does anybody have made the same experiences ?
  - Has anyone managed to get this running ?
  - Can anyone provide me config examples, hint or tipps ?
  Everything is very much appreciated since this is an urgent request.
  Many thanks in advance
  Best regards
  Roman

  Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
  Glad you found resolution with a later version of the OS.
  Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

• 802.1x and eDir Authentication

  We are purchasing the Enterasys 802.1x NetSight policy manager (running on SLES 9 with OES) along with new Matrix N3 and C2 switches. We plan on utilizing 802.1x authentication on both our wired and wireless networks. We currently use NW 6.5 with BM 3.8 and NMAS RADIUS for wireless MAC authentication and it works well. I understand that BM/NMAS RADIUS does not work with 802.1x authentication.
  I have read the previous two posts "How to implement a secure wireless solution (PEAP/EAP-TTLS)" and "eDirectory and 802.1x wireless authentication" Thank you Jim and others for your ideas and information.
  My question is, has Novell gotten off their hands and provided a solution yet? Will they? I will look into the Funk Odyssey / Steel Belted Radius software, freeRadius, and Radiator.
  Are there any other suggestions? Any changes since the above postings in January / February?
  I just wish Novell were more leading edge with the new technologies. It has been quite disappointing.
  Thanks,
  OZ
  Owen Zorge
  IT Specialist III
  AZ Department of Emergency and Military Affairs
  602-392-7507
  [email protected]

  Thank you for the info and link Jim. I seem to remember a session at BrainShare this year that discussed this issue. I'll also look up that presentation on the CD I just received.
  I have already contacted Funk to get some information on their 802.1x client. Any idea when Novell will integrate 802.1x authentication into the NetWare Client?
  Thanks again,
  OZ
  Owen Zorge
  IT Specialist III
  AZ Department of Emergency and Military Affairs
  602-392-7507
  [email protected]
  >>> Jim Michael<[email protected]> 5/24/2005 1:55:03 PM >>>
  Owen Zorge wrote:
  > My question is, has Novell gotten off their hands and provided a
  > solution yet? Will they?
  Yes, they have. You still cannot use the NetWare RADIUS server (it's
  dead), but Novell contributed code to the freeRADIUS project that lets
  you do 802.1x a wee bit easier than what I had to go through.
  I suggest you start here
  http://www.novell.com/documentation/...ius/index.html
  > I will look into the Funk Odyssey / Steel
  > Belted Radius software, freeRadius, and Radiator.
  Understand that you will most likely need at least the Odyssey *client*
  (supplicant) for your Windows boxes. The 802.1x supplicant that ships in
  WindowsXP works, but doesn't have enough features for most shops. This
  has nothing to do with Novell and is purely a client-side issue.
  Jim
  NSC SYsop

• Mail setup and .mac authentication

  Baffled… I have been trying to setup my Mail account. I have an active .Mac account which I can access via the internet, so I know it works. I am trying to use Mail as my automatic mail for sending Aperture photos and iWeb announcements.
  In going through the setup procedures in Mail I enter all the required information and the application tries to authenticate my .Mac account… it spins and spins… then an error message is received indicating “failure to connect to .Mac”. I have verified my settings with a friend who uses the same ISP, Mail and .Mac and all our settings are the same.
  Is this a keychain issue, do I need to reset permissions?
  Why can I access my .Mac account through Safari yet the computer can’t do it automatically?
  Thanks for anyone’s assistance.

  So you get mail from your .Mac account not via IMAP,
  but via POP3? Or what do you mean by "as for IMAP I
  am not using that"?
  And no, I did not talk about pinging the server
  (which just sends ICMP echo requests), but about
  trying to connect to the server using telnet. That's
  a real big difference.
  I only get mail via the web ~ Safari ~ Yahoo... .mac mail can be received and used onlt as a web application, Mial does not connect via .mac.
  The problem is .Mac authentifcation when setting up a new Mail account, error message says can not verify/connect to .Mac server, yet I can access .Mac via the internet.
  IMAP ~ in my system preferences for Accounts/Advanced I do not sync to any IMAP mailbox and the greyed out port is 143 nad SSL is not checked.
  Terminal ~ yes it logged in, sorry if I used the wrong term "ping"... so yes it did connect.

• WLC Flexconnect with AAA and MAC authentication

  hi,
  i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
  my question is i am having  Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
  My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
  one more question,
  is it possible to make each AP seperate MAC filters On the WLC.
  thanks
  cyril

  If you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
  In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
  Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
  Hope this clears you doubts!!!
  Note: Please do not forget to rate and accept as solution incase the post is valid.

• AP1242AG WPA and MAC Filtering problem

  Hello,
  Presently I managed some AP1242AG in ofiice area
  I need implement WPA and MAC filtering.
  I found what :
  In IOS 12.2(13)JA branch IOS and before, MAC authentication was supported
  in conjunction with WPA.
  In 12.2(15)JA and above, configuring MAC authentication with WPA does not
  work. MAC Authentication passes everyone through.
  I can't found IOS 12.2(13) in Cisco site.
  Can anybody help me and give link to download 12.2(13)JA ?
  Thanks.

  Also when I acivete MAC filterring
  access-list 700 deny   0024.d7ed.2204   0000.0000.0000
  access-list 700 deny   0000.0000.0000   ffff.ffff.ffff
  dot11 association mac-list 700
  dot11 ssid zero!v
     vlan 390
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa
     wpa-psk ascii 7 14531708030A2E1A3108212127015644
  The WPA is working but MAC filtering not reject
  IOS Ver.
  Cisco IOS Software, C1240 Software (C1240-K9W7-M), Version 12.3(11)JA1, RELEASE SOFTWARE (fc2)

• Wireless Guest and mac authentication

  Hi all,
  I want to setup a wifi guest network with mac based authentication.
  I already have the guest anchor controller and the remote wlc controller (and the mobility tunnel) up and running.
  However, i am uncertain where i have to program the mac addresses: on the remote wlc or on the guest controller ? (for local database mac)
  It seems my authentication only works if i program the mac address of the 'remote' wlc (the wlc holding the AP).
     This is a pitty, as i was hoping to centralise all "appoved" mac addresses on the guest controller and not on each individual wlc seperatly.
  Also, suppose i want a radius server to validate the mac address. Which controller is going to sent the radius request ? the wlc controller
  managing the AP or the guest anchor controller ?
  Does the remote wlc also need to be configured with "Layer2 security: none"+"mac authentication" (the same as the anchor controller) or can i put "Layer2:none" and put the anchor controller on "Layer2: none"+mac authentication ?
  regards,
  Geert

  Hi Geert,
  The rule is straightforward : layer 2 is handled by foreign WLC (one holding the AP) and layer 3 handled by the anchor (the guest).
  This means the anchor WLC handles the dhcp/ip address, it handles the web authentication etc ...
  But only the foreign WLC knows which AP the client is associated to, it's the only one to have layer 2 information so that's the one doing layer 2 authentication (wpa psk or mac filtering).
  The way to "centralize" for you would be to have the mac addresses on a radius server or to push the mac addresses on the controllers via WCS.
  Hope this clarifies,
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• Cisco aironet 1040: create wireless with wpa2 and mac authentication

  Hi,
  I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
  I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
  Can anyone help me? thanks
  Hi,
  I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
  I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
  Can anyone help me? thanks

  ap#show configuration
  Using 2085 out of 32768 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  logging rate-limit console 9
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 syslog
  dot11 ssid Svez
     authentication open mac-address mac_methods
     authentication key-management wpa version 2
  username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
  username 00907a0f2a55 autocommand exit
  username administrator privilege 15 password 7 033449040A0620425A0D15564F42
  username 0025d3db778b password 7 055B565D74481D0D1B52404A09
  username 0025d3db778b autocommand exit
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers tkip
  ssid Svez
  antenna gain 0
  station-role root
  world-mode legacy
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no keepalive
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address dhcp client-id GigabitEthernet0
  no ip route-cache
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
  end
  ap#

• VWLC and Mac Authentication

  Hello all
  WLC Appliance supports Local MAC Authentication, http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#conf
  Does Virtual WLC support this too?
  Thanks
  Franco

  Hello, Franco. 
  Have you checked the data sheet for the Cisco Virtual WLC's security Standards? Check this link: (http://cs.co/9007qz7W). 
  Are you planning to switch from a WLC appliance to a virtual?
  Kind regards. 

• E1200 - Ports not working and mac filtering problem

  If there was a way to give negative stars to this router, I would. As it is, the minimum rating I can give this product is one star, and that's one star too many.
  I was upgrading from the WRT54G, which is an ugly thing to look at, but a reliable workhorse nonetheless. I turned that in to a downstream switch in my comms hub.
  On the E1200, I flashed the latest firmware, used different Cat5 cables, and different laptops before committing to hating this product.
  The first time I reached out to Amazon, the Amazon rep gave me a Cisco number to call. Turns out, that's some shady mortgage refinance hotline. Try it for yourself! 1-800-666-1771.
  Now, the rant -
  1. Two out of four wired LAN ports don't work: What can be the fix for this?! The activity lights on ports 3 and 4 blink and suggest data transfer is taking place, but the wired laptop simply can't acquire an IP address and access the internet. Same result when I connect my Panasonic Blu-Ray player to ports 3 and 4. None of the Viera Cast features load.
  2. MAC filtering unreliable: The wireless routing works somewhat reliably, if and only if, one settles for the most basic security. If I only choose a password and WPA2 protocol, things work fine. If I add another layer of security (in my case, enabling MAC filtering and only PERMITTING gateway to listed MAC IDs), things break down. As soon as I disable MAC filtering, wireless access to authenticated clients is restored.
  3. Cisco customer service: The censored world we live in, compels me to criticize politely. TERRIBLE. Cisco website is unintuitive, and frustrating. There's no easy way to register your purchased product. The Cisco "registration" is intentionally misleading and deceptive. For all intents and purposes, it's just an information gathering tool for Cisco. Don't bother registering there, unless you love the idea of storing your personal information on their servers. Their phone-based customer service is apathetic and uninterested. My rep was so distrusting of my intelligence and motor control, that he simply wouldn't believe that I had selected "PERMIT" and not "PREVENT" as the option under MAC filtering. After he asked me the same question for the fourth time, I raised my voice, and he gave up the idea of checking for the fifth time.
  However, this review is a tale of two companies. I reached out to Amazon again. This time, I got a rockstar in the shape of Leanne C! She was incredibly helpful, and understanding. What's more, she set up my return without any hassle and this Cisco dud is on its way back. I'm a big fan of Leanne's and my confidence in Amazon is restored.
  I'm sure that i received a lemon. I've never had problems with Linksys products. Maybe others' experience is different from mine.

  In your case as port numbers 1 and 2 does not work, what you could have done a loop back test. To perform a loop back test you need to take an ethernet cable, connect one end of that cable to internet port and the other end to the non-working port on the router. If you get the led to glow on both internet and the respective ethernet port that indicates that the port is working fine.
  It could also be a sychronization issue between the above mentioned lan ports and the lan card of your computer. As a part of trouble shooting you can try to reduce the card speed of your lan card. Following are the steps to reduce the speed of your lan card.
  START--> right-click My Network Places and click Properties
  right-click on the device manager and click properties
  Click on the CONFIGURE button
  Select the ADVANCED tab and in the box under the header property select "speed and duplex" and change the value on the right to 10 mbps half duplex. A restart would be recommended after performing these steps.
  In the second half you said that after enabling the mac filter option the internet breaks down. Here, do you mean to say that the computer
  gets disconnected from the wireless network or it stays connected with a valid IP address but without an internet connection.
  Well, it is an unusual issue however you could have reset and reconfigure the router as you got the latest firmware upgraded on it.
  Steps to reset the router:
  Push the reset button on router for 30 seconds, turn off the router wait for 30 seconds and then power it on. Power light should blink when you perform the reset process.