Using ACS to authenticate mac addresses

Similar Messages

• Use Cisco ACS to verify MAC address for VPN User

  Question: I want to have the MAC address of a machine checked when the user is logging into VPN Client.
  For example:
  User opens VPN client-->Clicks connect-->types in User/Pass which gets passed to ACS (part of what should be sent is the MAC address)---> ACS responds with a yes/no on user/pass and whether the MAC address is right)

  Hi Pete,
  I have found out in some of my testings that If a PC doesnot genareate any kind of traffic and is totally ideal and once the MAC-address table ages out, it doesnot show its MAC untill the PC generates some kind of traffic.I guess this is what you must be seeing.
  I have oberved one more thing that If I connect a fully booted PC which not generating any traffic to a switch port it doesnot learn its Mac-address untill its generates the traffic. This is what my obeservations is and that what I believe in most of the cases.
  i dont know whether that answer your question or not but it could be something closer. I think there will be some who can put some more ligth on this.
  regards,
  -amit singh

• Problem to authenticate MAC address on ISE

  Hi guys,
  I have a Lab with a ISE ver 1.1.1 installed on VMWARE, a Switch 3750, a WLC 4200 and one AP registered on WLC, the WLC and AP are connected to Switch, we are testing the user authentication using a samsung tablet and it work ok. The authentication procces is using the actual AD. the issue is when I try to authenticate de device using their MAC address. I'm reading many pappers, but no one explain me the steps to do the both autentication: by user and by MAC address using the ISE.
  can any one help me about the authenticacion MAC address process on ISE. the  final deployment our client want to use user and device authentication.
  Thank you for your attention on this matter.

  Hi Tarik,
  Thanks for your reply,
  the port configuration of SW is it:
  DEMOSW# sh run int Gi2/0/11
  description Access Wireless LAN Controller
  switchport trunk encapsulation dot1q
  switchport mode trunk
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  spanning-tree portfast
  DEMOSW# sh run int Gi2/0/12
  description Access Point
  switchport access vlan 103
  spanning-­tree portfast
  Our goal is that the MAC address Tablets can be authenticated using the ISE Internal Enpoints Database.
  I hope you may help me about it.
  Thank you for your attention on this matter.
  Regards.

• Guest portal using ACS to authenticate against AD

  Running ACS 5.3, I have a Wireless Access policy that authenticates wireless users either by mac address, AD user name or computer name, depending on what AD groups the accounts belong to.  My Network Authorization policy has rules because only certain groups should access certain SSIDs.
  I am trying to get the Guest authentication portal to accept and authenticate AD users belonging to a certain group, but I run into 15039 Selected Authorization Profile is DenyAccess
  Somewhere for some reason my authorization policy is denying access. 
  Needing some assistance in troubleshooting these rules.

  You have to change the Group Map Attribute to "member" and authorization  will work.

• Use SpryValidationTextField to check MAC address

  Goal: I would like to have a data entry check in a text field
  that confirms a properly formed MAC address was entered.
  My attempt: I created a SpryValidationTextField of type
  custom with a pattern 00-00-00-00-00-00 and 'Enforce Pattern'
  ticked. The issue is that the system will not allow me to enter
  letters A-F for hexadecimal vlaues but only digits 0-9.
  Vice versa if I enter the pattern AA-AA-AA-AA-AA-AA the
  system will not allow me to enter any digits 0-9 but all
  characters.
  What I need is a check that allows all values 0-9/A-F with
  letters preferably automatically converted to capital letters, when
  entered in small characters, while preserving the integrity of the
  pattern 00-00-00-00-00-00.
  Can anyone help?

  A slight modification to the suggestions and it now works
  perfect. The improvement handles the error messaging perfectly well
  but also ensures that a complete MAC address is entered ( the
  preliminary solution given below allowed accepted a MAC address of
  16 characters as valid).
  Thanks for cw2ureg and V1 Fusion for their input. All credit
  to them
  HTML:
  <span id="sprytextfield1">
  <input type="text" name="mac" value="" size="17" />
  <span class="textfieldRequiredMsg">A value is
  required.</span><span
  class="textfieldMinCharsMsg">Minimum number of characters not
  met.</span><span class="textfieldMaxCharsMsg">Exceeded
  maximum number of characters.</span><span
  class="textfieldInvalidFormatMsg">Not a valid MAC
  address</span></span>
  Constructor:
  var sprytextfield1 = new
  Spry.Widget.ValidationTextField("sprytextfield1", "none",
  {validation: fnValidateMacAddress, validateOn:["blur"],
  hint:"00-00-00-00-00-00", minChars:17, maxChars:17});
  Function:
  function fnValidateMacAddress(macaddr) {
  var reg1 =
  /^[A-Fa-f0-9]{1,2}\-[A-Fa-f0-9]{1,2}\-[A-Fa-f0-9]{1,2}\-[A-Fa-f0-9]{1,2}\-[A-Fa-f0-9]{1,2 }\-[A-Fa-f0-9]{1,2}$/;
  var reg2 =
  /^[A-Fa-f0-9]{1,2}\:[A-Fa-f0-9]{1,2}\:[A-Fa-f0-9]{1,2}\:[A-Fa-f0-9]{1,2}\:[A-Fa-f0-9]{1,2 }\:[A-Fa-f0-9]{1,2}$/;
  if (reg1.test(macaddr)) {
  return true;
  }else if (reg2.test(macaddr)) {
  return true;
  } else {
  return false;

• ACS V4.1 How to separate MAC addresses in an Authentication rule....?

  I'm configuring Agentless Authentication based om MAC addresses sendt from the access switch using MAB (MAC Authent. Bypass). I got it up and running, but with just one MAC address configured in the Authentication rule. When I try to configure more than one address in the rule, I get an error saying this is not a MAC address. How do you separate the MAC entries in the same Authentication rule. The doc says you can configure 10.000 addresses in one rule.

  The ACS can authenticate MAC addresses sent from an AP/Switch. A properly configured AP/Switch will attempt to authenticate a MAC address using Secure-PAP authentication with the ACS. The MAC addresses are entered into the ACS as users, with the username and password being the MAC address.
  1. From the ACS main menu, click on the USER SETUP button.
  2. In the USER text box, type the MAC address to add to the user database. Use no dashes, periods,
  or any other delimiter.
  At the USER SETUP screen, enter the MAC address in the SECURE-PAP PASSWORD text box.
  3.Click the SUBMIT button.
  Adding the AP/Switch to the ACS server
  1. From the ACS main menu click on the NETWORK CONFIGURATION button.
  2. Click on the ADD ENTRY button.
  3. Configure the DNS name of the AP, the IP address of the AP, the RADIUS shared secret and the
  Authentication method.
  4. Make sure to select RADIUS (Cisco Aironet) in the AUTHENTICATE USING drop down menu.
  5. To complete, click the SUBMIT+RESTART button.

• Domain authentication with mac address restrictions

  I am in a branch office and I have one WLC 5508 and one ACS 4.2 with three WLANs:
  WLAN1 with SSID1: for company computers and laptops
  WLAN2 with SSID2: for ipads and tablets
  WLAN3 with SSID3:  for guests
  I am asked to configure WLAN2 as “WLAN2: Provides the Wi-Fi connectivity to ipads and tablets, with back end security using domain authentication with mac address restrictions.

  You would need to create a seperate policy and be able to have a seperation between the two policies... It's kind of hard to explain, but you would have for example:
  Policy 1:
  Wireless user on this SSID WLAN1
  AD on this AD Group (Machine)
  Policy 2:
  Wireless user on this SSID WLAN 2
  AD on this AD Group (USer)
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• Getting Mac Address of Windows 7 Machine

  Hi all,
  Our application used to gather the Mac address of the client machine. For this purpose, i was using the Java bean(ClientInfos.fmb) to get the information. It used to work fine until
  the OS was Windows XP. As soon as the Windows 7 has come, the application/java bean could not collect the mac address.
  Pls let me know if there is any working for this problem.
  Even if there is any other alternative, I would love to adopt.
  One of the solution, I was thinking that to run a client_host command using webutil, write the output in a notepad. Get the mac address from the notepad.
  If it is possible, give me some clue,so that i can fight it down.
  Thanks & Regards,
  Alok Dubey

  There are likely several ways to accomplish this. You will need a custom java bean or webutil. WebUtil does not have a built-in function that can do what you want, but it will give you access to the system and/or registry. The problem with which you are faced is that some machines may have more than one net adapter and therefore more than one mac. Anyway.... you can use the CLIENT_HOST command to execute this Windows command:
  GETMAC*
  You can also execute GETMAC /NH+ and the data will be displayed without the column headers. If you write this info to a temp text file on the client, you can then read it with CLIENT_TEXT_IO. Use the pl/sql substr function to exact whatever part of the info you want to use.
  More info about the above command can be found on the MS website here:
  http://technet.microsoft.com/en-us/library/bb490913.aspx

• Where can I find the MAC address on ATV3?

  My internet provider is requesting the MAC address of from the Apple TV 3 I'm trying to hook up.   It is not plainly listed anywhere.  Is there another name for this address?  Where can I find it?
  Thanks,
         Pterodroma

  There will be two MAC addresses.
  One for wi-fi and one for ethernet.
  It should be listed under Settings>General>About, depending on which you are using.
  If you have ethernet cable plugged in wifi is disabled so it should be the ethernet address.  If ethernet unplugged it should give the wifi Mac address.
  Apple used to put the MAC address on teh product box, but for some daft reason had not done so with either the latest iPad or AppleTV3.
  Send feedback:
  http://www.apple.com/feedback/appletv.html

• Controller detected its ip address by machine with MAC Address

  Hi
  I am getting error "Controller detected its ip address x.x.x.x using my machine with MAC address xx:xx:xx:xx:xx:xx"when i upgrade my Cisco Wireless Controller 5508 from 7.0.116.0 to 7.4.110.0. Any suggestion
  Regards

  Hi Mohammed,
  If you have more then one controller ??
  Could be:
  1.Error suggest that it hase detected a duplicate address(its managemnet IP address fo WLC) is in used by a client with the mac address xx:xx:xx:xx:xx:xx.
  Please chekc the management interface IP on each controller.
  2. Looks like u enabled LAG on controller ?
  Means you have connected more then one port from your controller to different switches.
  regards

• Change source mac address in real-time

  How can I send Ethernet packet with fake source Mac address, or using more than one mac address upon one physical interface (probably by using some DLPI massage)?

  HI,
  The mac address of a machine can be changed with command #ethers or ether chekup with the 1 given by u . # ether

• Finding the MAC address?

  I need to assign fixed IPs to several computers on my mixed ethernet/wireless network. I notice that there are MANY MAC addresses on any given computer when examined by the profiler. Which profiler MAC address is the correct one to use?

  I need to assign fixed IPs to several computers on my mixed ethernet/wireless network. I notice that there are MANY MAC addresses on any given computer when examined by the profiler. Which profiler MAC address is the correct one to use?
  For devices connected by Ethernet, you would want to use the Built-in Ethernet Hardware (MAC) Address; for devices connected by AirPort, you would want to use the AirPort Hardware (MAC) Address as listed in the Systems Profiler.

• Blocking all MAC addresses except for the ones you allow

  I have a Cisco Aironet 1200 Access Point. I want to block all MAC addresses from accessing the access point, except for the ones I've allowed. First I went to the Address Filters page and clicked on Allowed, then listed all the MAC address I want to be able to access the access point. Then I went to the Ethernet Advanced page, and set the Default Multicast Address Filter to Disallowed, and the Default Unicast Address Filter to Disallowed. Then I went to the AP Radio: Internal Advanced page, clicked on the Advanced Primary SSID Setup link, and set the Default Unicast Address Filter to Disallowed. Accept Authentication Type is set to Open with Shared and Network-EAP cleared, and the Require EAP check boxes are all cleared.
  When using a computer whose MAC address is not listed on the Address Filters page, I am still able to connect to the network through the access point. I am also able to connect to the access point from any pc on my network by entering its IP address in Internet Explorer.
  What do I need to do to block any pc without a listed MAC address from connecting to the access point?
  Thanks, Jeff

  Here's the instructions and URL on how to create an MAC based filter:
  Follow these steps to create a MAC address filter:
  Step 1 Follow the link path to the Address Filters page.
  Step 2 Type a destination MAC address in the New MAC Address Filter: Dest
  MAC Address field. You can type the address with colons separating the character pairs
  (00:40:96:12:34:56, for example) or without any intervening characters (004096123456, for example).
  Note If you plan to disallow traffic to all MAC addresses except
  those you specify as allowed, put your own MAC address in the list of allowed MAC
  addresses. If you plan to disallow multicast traffic, add the broadcast MAC address
  (ffffffffffff) to the list of allowed addresses.
  Step 3 Click Allowed to pass traffic to the MAC address or click Disallowed
  to discard traffic to the MAC address.
  Step 4 Click Add. The MAC address appears in the Existing MAC Address
  Filters list. To remove the MAC address from the list, select it and click Remove.
  Step 5 Click OK. You return automatically to the Setup page.
  Step 6 Click Advanced in the AP Radio row of the Network Ports section at
  the bottom of the Setup page for the radio you want to configure. The AP Radio Advanced page appears.

• Configuring Virtual MAC Addresses on ASA

  Hello,
  I configure the virtual MAC address for a interface on ASA 5520, will enter the following command on the active unit:
     failover mac address Inside 0012.3456.789a 0023.4567.89ab
  The active MAC address is of the same as the Inside's burned-in MAC address of the active unit.
  Similarly, the standby MAC address is of the same as the Inside's burned-in MAC address of the standby unit.
  Do I get the effect of failover mac address command?
  Thank you for your cooperation in advance.

  Hi Bro
  That’s fine really. There’s nothing wrong if you’ve configured the active MAC address the same as the Inside's burned-in MAC address of the active unit.
  In an Active/Standby failover, the MAC addresses for the primary unit are always associated with the active IP addresses. If the secondary unit boots first and becomes active, it uses the burned-in MAC address for its interfaces. When the primary unit comes online, the secondary unit obtains the MAC addresses from the primary unit. The change can disrupt network traffic.
  You can configure virtual MAC addresses for each interface to ensure that the secondary unit uses the correct MAC addresses when it is the active unit, even if it comes online before the primary unit. If you do not specify virtual MAC addresses the failover pair uses the burned-in NIC addresses as the MAC addresses.
  P/S: If you think this comment is useful, please do rate them nicely :-)

• IP address Confilct with Mac Address

  I have a windows server domain within which I have four mac users, three of them are using the latest version of leopard and all of them are having the same problem. This has happened three times (twice since I have worked here) and I have not seen any real resolution to the problem. The error I get "IP xxx.xxx.xxx.xxx is in use by the following mac address" happens for no apparent reason. I know very well that the IP address is not in use, and whats more is that the mac address that is said to be in conflict bound to the four diffrent IP addresses is the same on all four computers. This does not make any sense, how can diffrent IP addresses be in conflict with a device that is said to use the same mac address.
  I have identified that the mac address is given to a trunk port on one of my cisco switches. I know the switch does not conflict with the IP addresses.

  is in the same path:
  /System/Library/SystemConfiguration/IPConfiguration.bundle/Resources/IPConfigura tion.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>ARPDetectCount</key>
  <integer>3</integer>
  <key>ARPDetectRetryTimeSeconds</key>
  <real>0.015</real>
  <key>ARPGratuitousCount</key>
  <integer>1</integer>
  <key>ARPProbeCount</key>
  <integer>3</integer> *YOU NEED TO CHANGE IT*
  <key>ARPRetryTimeSeconds</key>
  <real>0.4</real>
  <key>DHCPAcceptsBOOTP</key>
  <false/>
  <key>DHCPAllocateLinkLocalAtRetryCount</key>
  <integer>2</integer>
  <key>DHCPDefendIPAddressCount</key>
  <integer>3</integer>
  <key>DHCPDefendIPAddressIntervalSeconds</key>
  <integer>30</integer>
  <key>DHCPFailureConfiguresLinkLocal</key>
  <true/>
  <key>DHCPInitRebootRetryCount</key>
  <integer>2</integer>
  <key>DHCPLocalHostNameLengthMax</key>
  <integer>15</integer>
  <key>DHCPRequestedParameterList</key>
  <array>
  <integer>1</integer>
  <integer>3</integer>
  <integer>6</integer>
  <integer>15</integer>
  <integer>119</integer>
  <integer>95</integer>
  <integer>252</integer>
  <integer>44</integer>
  <integer>46</integer>
  <integer>47</integer>
  </array>
  <key>DHCPRouterARPAtRetryCount</key>
  <integer>0</integer>
  <key>DHCPSelectRetryCount</key>
  <integer>3</integer>
  <key>DHCPSuccessDeconfiguresLinkLocal</key>
  <true/>
  <key>DiscoverAndPublishRouterMACAddress</key>
  <true/>
  <key>DiscoverRouterMACAddressTimeSeconds</key>
  <integer>60</integer>
  <key>GatherTimeSeconds</key>
  <integer>1</integer>
  <key>InitialRetryTimeSeconds</key>
  <integer>1</integer>
  <key>LinkInactiveWaitTimeSeconds</key>
  <integer>4</integer>
  <key>MaximumRetryTimeSeconds</key>
  <integer>8</integer>
  <key>MustBroadcast</key>
  <false/>
  <key>RetryCount</key>
  <integer>9</integer>
  <key>RouterARPEnabled</key>
  <true/>
  <key>RouterARPExcludedSSIDs</key>
  <array>
  <string>tmobile</string>
  </array>
  <key>Verbose</key>
  <false/>
  </dict>
  </plist>
  Message was edited by: Federico_82
  Message was edited by: Federico_82
  Message was edited by: Federico_82