Wifi MAC authentication on ISE 1.3

Similar Messages

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• Wireless Guest and mac authentication

  Hi all,
  I want to setup a wifi guest network with mac based authentication.
  I already have the guest anchor controller and the remote wlc controller (and the mobility tunnel) up and running.
  However, i am uncertain where i have to program the mac addresses: on the remote wlc or on the guest controller ? (for local database mac)
  It seems my authentication only works if i program the mac address of the 'remote' wlc (the wlc holding the AP).
     This is a pitty, as i was hoping to centralise all "appoved" mac addresses on the guest controller and not on each individual wlc seperatly.
  Also, suppose i want a radius server to validate the mac address. Which controller is going to sent the radius request ? the wlc controller
  managing the AP or the guest anchor controller ?
  Does the remote wlc also need to be configured with "Layer2 security: none"+"mac authentication" (the same as the anchor controller) or can i put "Layer2:none" and put the anchor controller on "Layer2: none"+mac authentication ?
  regards,
  Geert

  Hi Geert,
  The rule is straightforward : layer 2 is handled by foreign WLC (one holding the AP) and layer 3 handled by the anchor (the guest).
  This means the anchor WLC handles the dhcp/ip address, it handles the web authentication etc ...
  But only the foreign WLC knows which AP the client is associated to, it's the only one to have layer 2 information so that's the one doing layer 2 authentication (wpa psk or mac filtering).
  The way to "centralize" for you would be to have the mac addresses on a radius server or to push the mac addresses on the controllers via WCS.
  Hope this clarifies,
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• HT1203 i have tried this 6+ times to "How to share music between different accounts on a single computer" on my wifes mac and can not get it to work!! On my PC no problem but on the MAC it will not work, follow the instructions to the T but no go????

  i have tried this 6+ times to "How to share music between different accounts on a single computer" on my wifes mac and can not get it to work!! On my PC no problem but on the MAC it will not work, follow the instructions to the T but no go????

  It is almost as if the program does not exist on my computer. If I search for it, the only thing that comes up is the installer. I cannot find it anywhere despite the fact I have installed it numerous times, uninstalled it and conducted a fresh install, and the Adobe website checks says that it is installed.

• Authenticated on ISE 1.2 (as admin) against an external radius server

  Hello
  Our customer wants to be authenticated on ISE 1.2 (as admin) against an external radius server (like ACS not microsoft). How could i do that ?
  Is it possible while retaining internal admin users database in a sequence "external_radius or internal"
  thank you in advance.
  Best regards

  External authentication is supported only with internal authorization:
  External Authentication + Internal Authorization
  When configuring Cisco ISE to provide administrator authentication using an external RSA SecurID identity store, administrator credential authentication is performed by the RSA identity store. However, authorization (policy application) is still done according to the Cisco ISE internal database. In addition, there are two important factors to remember that are different from External Authentication + External Authorization:
  You do not need to specify any particular external administrator groups for the administrator.
  You must configure the same username in both the external identity store and the local Cisco ISE database.
  To create a new Cisco ISE administrator that authenticates via the external identity store, complete the following steps:
  Step 1 Choose Administration > System > Admin Access > Administrators > Local Administrators.
  The Administrators window appears, listing all existing locally defined administrators.
  Step 2 Follow the guidelines at Creating a New Cisco ISE Administrator to ensure that the administrator username on the external RSA identity store is also present in Cisco ISE. Be sure to click the External option under Password.
  Note Remember: you do not need to specify a password for this external administrator user ID, nor are you required to apply any specially configured external administrator group to the associated RBAC policy.
  Step 3 Click Save .

• I have mac book air os x 10.8.2  i create a photo library on iPhoto and i moved it to my time capsule disk now i try to access  library from my wife mac book running on mac os x 10.5.8 i always receive library locked on locked disk

  i have mac book air os x 10.8.2  i create a photo library on iPhoto and i moved it to my time capsule disk now i try to access  library from my wife mac book running on mac os x 10.5.8 i always receive library locked on locked disk

  Unless you can set the Time Capsule's drive to have it's ownership ignored
  you won't be able to use the library on the same volume as the Time Machine backups. 
  OT

• MAC Authentication does not work

  My MAC Authentication does not work.
  I have a ACS 3.0 server set. the MAC address is set in the user name field and in the password field.
  I can ping the ACS, I can ping my AP, I can ping my client.
  I don't want WEP and I don't want LEAP just MAC. So I set my authentication to "Open with MAC" My client has WEP set to NO WEP and authentication to OPEN
  I have the latest drivers for both AP and my 350 Client.
  I see that the client is associating and disassociating back and forth non stop. My AP log is full with the following message:
  Station 0009.7c9f.xxxx Authentication failed
  this is my config:
  version 12.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname GOM_1200IOS
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  server 10.1.2.197 auth-port 1812 acct-port 1812
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa group server radius wlccp_rad_infra
  aaa group server radius wlccp_rad_eap
  aaa group server radius wlccp_rad_leap
  aaa group server radius wlccp_rad_mac
  aaa group server radius wlccp_rad_any
  aaa group server radius wlccp_rad_acct
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authentication login wlccp_infra group wlccp_rad_infra
  aaa authentication login wlccp_eap_client group wlccp_rad_eap
  aaa authentication login wlccp_leap_client group wlccp_rad_leap
  aaa authentication login wlccp_mac_client group wlccp_rad_mac
  aaa authentication login wlccp_any_client group wlccp_rad_any
  aaa authorization exec default local
  aaa authorization ipmobile default group rad_pmip
  aaa accounting network acct_methods start-stop group rad_acct
  aaa accounting network wlccp_acct_client start-stop group wlccp_rad_acct
  aaa session-id common
  enable secret xxxxxx
  username Cisco password xxxx
  ip subnet-zero
  iapp standby timeout 5
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption key 1 size 40bit 7 9DF1C10BF11A transmit-key
  ssid GOM_1230
  authentication open mac-address mac_methods
  speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
  rts threshold 2312
  channel 2462
  station-role root
  no cdp enable
  dot1x reauth-period server
  dot1x client-timeout 600
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no cdp enable
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 172.16.43.45 255.255.240.0
  no ip route-cache
  ip default-gateway 172.16.47.254
  ip http server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
  ip radius source-interface BVI1
  access-list 700 permit 000a.b74c.e8c9 0000.0000.0000
  access-list 700 permit 0009.7c9f.d6e0 0000.0000.0000
  access-list 700 permit 0006.25b1.2f79 0000.0000.0000
  access-list 700 permit 000a.b78b.2d19 0000.0000.0000
  access-list 700 permit 000b.5f6e.77c8 0000.0000.0000
  access-list 700 deny 0000.0000.0000 ffff.ffff.ffff
  access-list 701 deny 000b.5f6e.77c8 0000.0000.0000
  access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
  no cdp run
  snmp-server community GOM_AP1230 RO
  snmp-server enable traps tty
  radius-server local
  group AP1230
  user brazil nthash 7 1249523544595F517972017912677A3055325A25770B08770D5C5B4E4478087605 group AP1230
  radius-server host 10.1.2.197 auth-port 1812 acct-port 1812 key 7 00233C2B
  radius-server retransmit 3
  radius-server attribute 32 include-in-access-req format %h
  radius-server authorization permit missing Service-Type
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 5 15
  end
  What is wrong?
  Thanks very much for your help.

  I figured out what was wrong so thank you for stopping by.
  I will publish the config for other people to see.
  Regards,

• Machine MAC authentication by ACS

  Hi,
  I have 1 AP 1240 & ACS 4.1 Solution Engine.
  I want to authenticate internal users by their MAC addresses (that is created into ACS database) after selecting appropriate SSID from the AP.
  Let me give you an idea of the setup & config:
  I have a DHCP server in the network from where users will get IP addresses.
  I have created 2 VLAN's in the switch & made the port as "Trunk" that is connected with AP. VLAN 1 as native VLAN (AP & ACS is asigned ip addresses of native vlan range) & VLAN 2 for Internal Users.
  Radio interfaces are mapped to the VLAN id & SSID is mapped with VLAn as well in AP.
  MAC addresses are confiured into ACS (without any space, comma, special character..the mac addreses are put manually in the ACS to avoid the generation of any phantom character).
  The problem is "USers are not getting IP addreses from the dhcp pool created in the switch" after selecting the SSID.
  Please ry to help me out in this...

  You can try to disable aironet extensions & enable the SSID as guest mode SSID. Also, try to change the datarates to enable. Else, configure MAC authentication and disable SSID as guest mode SSID.

• Mac authentication by IAS in WAP4410N

  I have a access point model WAP4410N , I want to configure for mac authentication by using MS IAS , but when I set MY SSID to radius in wireless connection control and try to connect to that SSID by a labtop I didn't get any logs in my IAS , anybody knows when this problem happened ? my methods for radius mac authentication is correct or not ?

  Did you define the AP as a client in the IAS?
  Steve
  Sent from Cisco Technical Support iPhone App

• Sg300 - 802.1x NPS - mac authentication not working

  I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
  Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
  My current port configuration on the SG300:
  interface fastethernet1
   dot1x guest-vlan enable
   dot1x max-req 1
   dot1x reauthentication
   dot1x timeout quiet-period 10
   dot1x authentication 802.1x mac
   dot1x radius-attributes vlan static
   dot1x port-control auto
   switchport mode access
  On the Windows NPS server there is following error to see:
  Authentication Details:
      Connection Request Policy Name:    Secure Wire
      Network Policy Name:        -
      Authentication Provider:        Windows
      Authentication Server:        myradius.local
      Authentication Type:        -
      EAP Type:            -
      Account Session Identifier:        30353030399999
      Reason Code:            1
      Reason:                An internal error occurred. Check the system event log for additional information.
  There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...

  Still not working.
  I tried different settings and (also older) software versions on the SF302-08P.
  Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
  The NPS reports following error:
  Schannel:
  The following fatal alert was received: 40.
  EventID 36887
  If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
  ... is this a bug on the SF302-08P?

• Enabling 802.1x and MAC Authentication Bypass on ACS 4.2

  Hi experts,
  I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
  i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
  Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
  ii. If it is possible, any reference that I can check on how to configure this?
  The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
  Hope anyone here could help me on this.
  Thanks very much,
  Daniel

  With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
  Specific info is here:
  <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
  Hope this helps,

• 802.1x: MAC Authentication Bypass

  Hey sorry for keeping bugging you guys...
  So I am configuring this Bypass thing on my 3750 switch. It works fine. It seems the switch will send a access request to the radius server (I use FreeRadius) with the username/password both as the MAC address of the deivce.
  However my dilema is that I have 200+ these devices. I can easily create a user group with MAC starting with 00a008 (which are the first 3 octets of the MAC addresses), however it's impossible to include each of the MAC address as the password!
  So my question is that whether there is a way to configure the switch use a static string as the password for all the devices using MAC Authentication Bypass?
  Thank you!!
  Difan

  Difan:
  I went through your post  and understand that you are in a process of configuring 802.1x with MAB in such way so that you use custom password (except Mac address) for all users OR shared password string that should be sent by the switch but this is not possible.
  Reason: Switch only send the device Mac address as the username and password. The user name should be the mac address of the client and the password should be same as username and this can't be change on cisco switches.
  I have also attached a document regarding MAB for your better understanding.
  This forum is only for you guys...keep bugging us
  HTH
  JK
  Pls rate helpful posts-

• Radius server web authentication using ISE

  Hi,
  Can anyone point me in the direction of a guide to implement radius server web authentication using ISE?
  I need this to be layer 3 Web Auth with all authentication requests coming from the wireless anchor controller, therefore don't think I can implement central web auth on ISE as detailed in the user guide as its layer 2 and auth requests come from the foreign controller.
  The following link explains "Radius Server Web Authentication" using ACS.  I need to find something similar for ISE - http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html  
  Thanks,

  Hi,
  Please check these:
  Central Web Authentication on the WLC and ISE Configuration Example
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
  Regards
  Dont forget to rate helpful posts

• Urgent 802.1x and MAC-Authentication Problem

  Hi all
  I want to deploy the mac- authentication in my network. and I have 3000 users. In the lab the authenticatoion for the machine takes:
  Vista : 15 - 20 seconds
  XP : 30 - 35 seconds
  Is there any way to reduce this time less than 10 seconds. My users count are 3000 will the time go bigger because of this.
  Please help me.
  Thanks and Best Regards
  amady

  With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
  Specific info is here:
  <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
  Hope this helps,

• VWLC and Mac Authentication

  Hello all
  WLC Appliance supports Local MAC Authentication, http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#conf
  Does Virtual WLC support this too?
  Thanks
  Franco

  Hello, Franco. 
  Have you checked the data sheet for the Cisco Virtual WLC's security Standards? Check this link: (http://cs.co/9007qz7W). 
  Are you planning to switch from a WLC appliance to a virtual?
  Kind regards.