Wireless Guest and mac authentication
Hi all,
I want to setup a wifi guest network with mac based authentication.
I already have the guest anchor controller and the remote wlc controller (and the mobility tunnel) up and running.
However, i am uncertain where i have to program the mac addresses: on the remote wlc or on the guest controller ? (for local database mac)
It seems my authentication only works if i program the mac address of the 'remote' wlc (the wlc holding the AP).
This is a pitty, as i was hoping to centralise all "appoved" mac addresses on the guest controller and not on each individual wlc seperatly.
Also, suppose i want a radius server to validate the mac address. Which controller is going to sent the radius request ? the wlc controller
managing the AP or the guest anchor controller ?
Does the remote wlc also need to be configured with "Layer2 security: none"+"mac authentication" (the same as the anchor controller) or can i put "Layer2:none" and put the anchor controller on "Layer2: none"+mac authentication ?
regards,
Geert
Hi Geert,
The rule is straightforward : layer 2 is handled by foreign WLC (one holding the AP) and layer 3 handled by the anchor (the guest).
This means the anchor WLC handles the dhcp/ip address, it handles the web authentication etc ...
But only the foreign WLC knows which AP the client is associated to, it's the only one to have layer 2 information so that's the one doing layer 2 authentication (wpa psk or mac filtering).
The way to "centralize" for you would be to have the mac addresses on a radius server or to push the mac addresses on the controllers via WCS.
Hope this clarifies,
Nicolas
===
Don't forget to rate answers that you find useful
Similar Messages
-
Wireless Guest Users once authenticated, are able to connect again after disconnection
Wireless Guest Users once authenticated, are able to connect again after disconnection .Clients should not able to connect after the restart or by disabling and enabling the WIFI adapter. But as of now clients are connecting to network . How we can configure this feature in WLC ?
IIRC, if your reboot, disable the adapter or disconnect from the wireless, as long as the session timer or the idle timer does not timeout, then you are still considered as authenticated. If you logout, the wlc logs you off and you will have to log back in. The wierd thing is with iPhones or iPads, they go to sleep mode and you have to log back in to access the guest network. The workaround was to increase the idle timers to a certain acceptable limit to prevent this from happening.
If you disconnect from the guest SSID and leave your client off the network until the idle timer expires, do you get prompted for a login or do you have access again?
Sent from Cisco Technical Support iPhone App -
I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?
Hi Jared,
you can do this by setup the following:
Webinterface:
1. Securtiy -> Server Manager
Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
2. Securtiy -> Advanced Securtiy
In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
IOS Interface from config mode:
aaa group server radius rad_mac
server 10.20.40.37 auth-port 1645 acct-port 1646
and
aaa authentication login mac_methods group rad_mac
or
aaa authentication login mac_methods group rad_mac local (for local fallback)
I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
Better use a setup with EAP-FAST or PEAP!
I hope that helps.
Best regards,
Frank
I hope that helps. -
Hi, I´m having some trouble to authenticate the users with EAP and MAC authentication, i´m using IAS server and the EAP authentication is working well, but when I configure the MAC and EAP authentication, it doesn´t connect to the clients.
Any idea how can I solve this problem??
ThanskI think MAC authentication is not supported in IAS , you can do MAC address filtering on AP
-
Cisco aironet 1040: create wireless with wpa2 and mac authentication
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanks
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanksap#show configuration
Using 2085 out of 32768 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid Svez
authentication open mac-address mac_methods
authentication key-management wpa version 2
username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
username 00907a0f2a55 autocommand exit
username administrator privilege 15 password 7 033449040A0620425A0D15564F42
username 0025d3db778b password 7 055B565D74481D0D1B52404A09
username 0025d3db778b autocommand exit
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid Svez
antenna gain 0
station-role root
world-mode legacy
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
end
ap# -
WLC Flexconnect with AAA and MAC authentication
hi,
i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
my question is i am having Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
one more question,
is it possible to make each AP seperate MAC filters On the WLC.
thanks
cyrilIf you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
Hope this clears you doubts!!!
Note: Please do not forget to rate and accept as solution incase the post is valid. -
Enabling 802.1x and MAC Authentication Bypass on ACS 4.2
Hi experts,
I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
ii. If it is possible, any reference that I can check on how to configure this?
The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
Hope anyone here could help me on this.
Thanks very much,
DanielWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
Urgent 802.1x and MAC-Authentication Problem
Hi all
I want to deploy the mac- authentication in my network. and I have 3000 users. In the lab the authenticatoion for the machine takes:
Vista : 15 - 20 seconds
XP : 30 - 35 seconds
Is there any way to reduce this time less than 10 seconds. My users count are 3000 will the time go bigger because of this.
Please help me.
Thanks and Best Regards
amadyWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
Hello all
WLC Appliance supports Local MAC Authentication, http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#conf
Does Virtual WLC support this too?
Thanks
FrancoHello, Franco.
Have you checked the data sheet for the Cisco Virtual WLC's security Standards? Check this link: (http://cs.co/9007qz7W).
Are you planning to switch from a WLC appliance to a virtual?
Kind regards. -
Wireless guest and HTTPS sites issue
Dear all,
I'm experiencing an issue with wireless guest, when accessing a site with https, the traffic is not intercepted by my controller, http sites are intercepted without any issue, I've found a document where this issue is mentioned as bug ID CSCar04580
http://cisco.biz/application/pdf/paws/108501/webauth-tshoot.pdf
could you please let me know what the fix is?
Thanks,Thanks for the feedback, however I've added the 443 port and the traffic
is still not redirected.
AP Fallback ................................ Enable
Web Auth Redirect Ports .................... 80,443
Fast SSID Change ........................... Disabled
802.3 Bridging ............................. Disable
Any other suggestion?
Thanks,
Aziz -
Are the apple wireless keyboards and mac book pro keyboards the same size?
Are the apple wireless keyboards and the mac book pro keyboards the same size? I have the most current wireless keyboard and I use it with my iPad. Thanks in advance
I took it to the same shop where i purchased they sent it to the apple
service centre and it is a week and no one informed me abt the problem
or the action on it.
We are mainly just users to users here, and sometimes a Apple folk will respond, but it's just a direction to a Apple support document, no service or account issues are handled here.
Will they replace the mac book pro as it is still in warranty
We don't know what Apple will decide to do in your case, the best source of information is the shop you brought it to.
They might be in the process of fixing it, or they might be deciding they need to keep your machine for investigation.
Apple will take care of you, make sure you buy AppleCare and a external drive for TimeMachine if you haven't already. -
Mail setup and .mac authentication
Baffled… I have been trying to setup my Mail account. I have an active .Mac account which I can access via the internet, so I know it works. I am trying to use Mail as my automatic mail for sending Aperture photos and iWeb announcements.
In going through the setup procedures in Mail I enter all the required information and the application tries to authenticate my .Mac account… it spins and spins… then an error message is received indicating “failure to connect to .Mac”. I have verified my settings with a friend who uses the same ISP, Mail and .Mac and all our settings are the same.
Is this a keychain issue, do I need to reset permissions?
Why can I access my .Mac account through Safari yet the computer can’t do it automatically?
Thanks for anyone’s assistance.So you get mail from your .Mac account not via IMAP,
but via POP3? Or what do you mean by "as for IMAP I
am not using that"?
And no, I did not talk about pinging the server
(which just sends ICMP echo requests), but about
trying to connect to the server using telnet. That's
a real big difference.
I only get mail via the web ~ Safari ~ Yahoo... .mac mail can be received and used onlt as a web application, Mial does not connect via .mac.
The problem is .Mac authentifcation when setting up a new Mail account, error message says can not verify/connect to .Mac server, yet I can access .Mac via the internet.
IMAP ~ in my system preferences for Accounts/Advanced I do not sync to any IMAP mailbox and the greyed out port is 143 nad SSL is not checked.
Terminal ~ yes it logged in, sorry if I used the wrong term "ping"... so yes it did connect. -
All,
The design guide specifies the following limitation: "As designed, 4400 series controllers do not forward IP subnet broadcasts from the wired network to wireless clients across the EoIP guest tunnel."
Does this mean that i cannot initiate a connection from a wired PC (or the default gateway) to a wireless PC (even after is has authenticated ?) because arp
would be unable to resolve or find the mac address of the wireless PC (ARP REQUEST broadcast will fail because it is not broadcast to the remote wireless client, if i read this limitation correctly)The feature works for clients on the same controller at all times...meaning no inter-controller roaming.
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn421760.html#wp234085 -
SLES 11 and MAC Authentication using FreeRADIUS
This is our first attempt at this. Not sure if this is the correct forum. We have a SLES 11 server. We are running FreeRadius FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu. We are testing just one Cisco WAP 4410N with a Lenovo laptop. All of our WAPs are Cisco 4410N. This is our first attempt at a Radius server. We are attempting to have users authenticate to our wireless network only by using their devices MAC address. This is for a Bring Your Own Device program for our school district. This program would allow students and teachers to bring their personal devices to school and attach to our network. We cannot install anything on their devices and need control over what devices connect. Once connected they would be subject to our Internet filter applicance.
We have been following the website http://wiki.freeradius.org/Mac-Auth#Plain+Mac-Auth.
We have made all the adjustments suggested in the website. We have created the file authorized_macs. At this time we have only one MAC address in this file. In our clients.conf file we have entered the following:
client 10.0.9.77 {
secret = xxxxxxxx
shortname = 10.0.9.77
nastype = cisco
This is the IP address of our WAP. We have configured the WAP under the Wireless section:
Basic Setting SSID = RADIUS TEST SSID broadcast enabled
Security currently disabled
Connection Control set to RADIUS with the IP address of the server and the secret question.
On the server in a terminal session we run /usr/sbin/radiusd -X. Which executes without any errors. When the laptop attempt to connect it times out and no meesage appear in the terminal session on the server. Obviously the laptop is not connected.
We have also attempted to connect by adding the following to the clients.conf file with no luck.
client 10.0.8.0/21 {
secret = xxxxxxx
shortname = KAHS
Any guidance would be greatly appreciated.Originally Posted by jdelucaka
This is our first attempt at this. Not sure if this is the correct forum. We have a SLES 11 server. We are running FreeRadius FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu. We are testing just one Cisco WAP 4410N with a Lenovo laptop. All of our WAPs are Cisco 4410N. This is our first attempt at a Radius server. We are attempting to have users authenticate to our wireless network only by using their devices MAC address. This is for a Bring Your Own Device program for our school district. This program would allow students and teachers to bring their personal devices to school and attach to our network. We cannot install anything on their devices and need control over what devices connect. Once connected they would be subject to our Internet filter applicance.
We have been following the website Mac Auth.
We have made all the adjustments suggested in the website. We have created the file authorized_macs. At this time we have only one MAC address in this file. In our clients.conf file we have entered the following:
client 10.0.9.77 {
secret = xxxxxxxx
shortname = 10.0.9.77
nastype = cisco
This is the IP address of our WAP. We have configured the WAP under the Wireless section:
Basic Setting SSID = RADIUS TEST SSID broadcast enabled
Security currently disabled
Connection Control set to RADIUS with the IP address of the server and the secret question.
On the server in a terminal session we run /usr/sbin/radiusd -X. Which executes without any errors. When the laptop attempt to connect it times out and no meesage appear in the terminal session on the server. Obviously the laptop is not connected.
We have also attempted to connect by adding the following to the clients.conf file with no luck.
client 10.0.8.0/21 {
secret = xxxxxxx
shortname = KAHS
Any guidance would be greatly appreciated.
And your windows machine is set to: Authenticate as computer when computer information is available?
Microsoft Corporation
Thomas -
E4200 Wireless Guest and WEP connects, other security settings do not
I have E4200 with fixed ip 192.168.1.2, DHCP off connected through LAN ports to FIOS ActionTec as 192.168.1.1. When connecting through wireless network off the E4200, I can obtain and connect fine under Guest network and WEP security, but for any other security setting, WPA, WPA2, Mixed mode, etc. I get the message "Aquiring network address" forever, and I never get a connection. How do I troubleshoot?
Is your FIOS ActionTec wired or wireless modem/router…. From where you are receiving the wireless signals to connect… Which operating System that you are running on the computer? It happens only to a specific computer or it happens to all the computers connected in the network?
Maybe you are looking for
-
Bad memory modules or motherboard??
I rearranged the cables in my case and now I'm not able to boot using dual channel memory configuration. It worked before just fine! I've got two 512MB twinmos twister pc3500 modules. D-bracket indicates bad memory module if I try to setup dual chann
-
IIS Site Hosted in Web Role can not start up
Hello Team, We occured a problem when deploying application to web role the WaIISHost can not start up and there are two error information in event log : Application: WaIISHost.exe Framework Version: v4.0.30319 Description: The process was terminate
-
How can i buy an unlock iphone 5? Please help
How I can buy an unlock iphone 5 in US?. I heard that Apple let people pre-ordered unlock iphone 5. But after 1 hour, they took it down. So what I see right now is only pre-order for the phone with contract
-
Hi all, In my jee web app, I used href="/pages/jsp/emailToSms/sendSms.jsp" but while I run the program it shows that http://localhost:8080/EmailToSMS/pages/jsp/emailToSms/pages/jsp/emailToSms/sendSms.jsp. My project name is EmailToSMS and folder stru
-
Hi, I am trying to use Facelets with ADF but unable to get the desired output i.e. the Facelet regions are not working as desired. My Jdeveloper version is: 10.1.3.0.4(SU4) Please help me out as early as possible. Thank You.