Wireless MAC authentication server

Similar Messages

• Cisco aironet 1040: create wireless with wpa2 and mac authentication

  Hi,
  I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
  I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
  Can anyone help me? thanks
  Hi,
  I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
  I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
  Can anyone help me? thanks

  ap#show configuration
  Using 2085 out of 32768 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  logging rate-limit console 9
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 syslog
  dot11 ssid Svez
     authentication open mac-address mac_methods
     authentication key-management wpa version 2
  username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
  username 00907a0f2a55 autocommand exit
  username administrator privilege 15 password 7 033449040A0620425A0D15564F42
  username 0025d3db778b password 7 055B565D74481D0D1B52404A09
  username 0025d3db778b autocommand exit
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers tkip
  ssid Svez
  antenna gain 0
  station-role root
  world-mode legacy
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface GigabitEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  no keepalive
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address dhcp client-id GigabitEthernet0
  no ip route-cache
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
  end
  ap#

• How to do Server 2012 R2 Network Policy Server MAC Authentication without adding ad users?

  I have a Network Policy Server running on Server 2012 R2.  I have set it up to do certificate and PEAP authentication for our 802.1x wireless authentication
  and that works great.
  Now I want to add a policy to this server so I can also do MAC address authentication our unauthenticated open wireless ssid so i can assign roles based on the
  mac address.  I got our Aruba controller setup to send the mac address to the radius server, but the radius server just denies access because I am not sure how to get it to use themsNPCallingStationID attribute. 
  I have found several ways do to this included adding active directory users for every single MAC address with the mac address as the username and password.  I
  do not want to do that.  This is not an option.
  I have also found several posts about using ieee802Device.  I can't find a way to get that to work.
  I also found a suggestion to use msNPCallingStationID ad attribute.  I can easily set this for each user as their mac addresses but how do I configure the
  NPS server to use this attribute to authenticate this?
  If you have any other ideas on how to get MAC authentication to work, I would greatly appreciate it!
  Thank you for your assistance!

  Hi,
  I think you may have some misunderstand about the MAC address Authorization, MAC address authorization is based on the MAC address of the network adapter installed in
  the access client computer. Like ANI authorization, MAC address authorization uses the Calling-Station-ID attribute instead of user name and password or certificate-based credentials to identify the user during the connection attempt.
  MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network
  Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names, therefore you need
  add the MAC address as the computer user name and password,
  To use the MAC address as user name and password is Cisco® switch require condition, about your switch device please ask your hardware vendor.
  If you want to combine the MAC address MAC filtering and
   EAP Authentication, you can refer the following related article:
  Enhance your 802.1x deployment security with MAC filtering
  http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx
  More information:
  MAC Address Authorization
  http://technet.microsoft.com/en-us/library/dd197535(v=ws.10).aspx
  Authorization by User and Group
  http://technet.microsoft.com/en-us/library/dd197615(v=ws.10).aspx
  The similar thread:
  NPS: Override User-Name and User Identity Attribute
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/6dd983f9-973f-4d23-be0c-032d3a1592d0/nps-override-username-and-user-identity-attribute?forum=winserverNAP
  The related third party article:
  Configuring IEEE 802.1x Port-Based Authentication
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/sw8021x.html#wp1170569
  MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo
  Hope this helps.

• Wireless user authentication detail at syslog server

  Hi Dear.  I configurated wireless network. i want to see my wireless user authentication detail(ip address, username and if it is possibly mac-address) at my syslog server. i do some configuration, the wireless controller send something to my syslog server but i need exctahly the user authentication detail.
  how i do that? please help me. thank you veru much.

  Hi dears. please help me

• ACS Server MAC Authentication with Windows Database

  Has anyone setup an ACS Server 3.2 for MAC authentication using Windows as the authentication. The documentation I found shows how to set it up using the CiscoSecure database. Any help would be appreciated.

  Here is the link for setting up MAC authentication using CisoSecure database. There may not be a solution for my setup, but maybe I'll keep hacking away at it and find a resolution.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b3d27.shtml

• Cannot see Mac Mini Server from Internet: DynDNS alias gets thru cable modem to wireless router, not to the Mac Mini. How to configure?

  I want to make my Mac Mini Server (Lion) visible to the Internet from my home LAN. I have followed the Lion server install wizards and also set up a dynamic DNS at DynDNS.com.
  When I enter the Internet address with the proper alias from a web browser, I get dumped into the admin screen of the Linksys wireless router WRT300N. Hint: the WRT300N provides DHCP for the LAN, not the cable modem providing DHCP. The WRT300N has DDNS service set up. NAT and RIP are disabled. The Mac Mini DHCP is reserved.
  Suggestions? I could use the Motorola Surfboard SB6121 to provide DHCP but have hesitations.
  Point me to the right discussion/article and get me back on track, please.

  This sounds like a simple port forwarding issue, but I don't understand your LAN setup.
  The WRT300N has DDNS service set up. NAT and RIP are disabled.
  The chances are, you're running NAT somewhere in your network. If not the WRT then what? If it's your cable modem then you must have port forwarding configured on the cable modem, and that's where you need to focus - change the port forwarding to point to your Mac Mini's address rather than the WRT.
  HOWEVER, it is far more common to have the wireless router perform NAT and DHCP, which is why I question your setup.
  Not directly related, but:
  The Mac Mini DHCP is reserved
  Nix this. Your server should be configured manually, with a static IP address, not DHCP, even with a reservation in the DHCP server. The only advantage of DHCP is for dynamic hosts (hence the 'D' in 'DHCP') or if you expect to change your entire local subnet on any kind of frequent basis. The reality is that you can't just change the IP address of Mac OS X Server like this - there are too many dependencies, so it's better to set it manually, knowing that there's a cost (and pain) to change the server's address.

• Wireless Guest and mac authentication

  Hi all,
  I want to setup a wifi guest network with mac based authentication.
  I already have the guest anchor controller and the remote wlc controller (and the mobility tunnel) up and running.
  However, i am uncertain where i have to program the mac addresses: on the remote wlc or on the guest controller ? (for local database mac)
  It seems my authentication only works if i program the mac address of the 'remote' wlc (the wlc holding the AP).
     This is a pitty, as i was hoping to centralise all "appoved" mac addresses on the guest controller and not on each individual wlc seperatly.
  Also, suppose i want a radius server to validate the mac address. Which controller is going to sent the radius request ? the wlc controller
  managing the AP or the guest anchor controller ?
  Does the remote wlc also need to be configured with "Layer2 security: none"+"mac authentication" (the same as the anchor controller) or can i put "Layer2:none" and put the anchor controller on "Layer2: none"+mac authentication ?
  regards,
  Geert

  Hi Geert,
  The rule is straightforward : layer 2 is handled by foreign WLC (one holding the AP) and layer 3 handled by the anchor (the guest).
  This means the anchor WLC handles the dhcp/ip address, it handles the web authentication etc ...
  But only the foreign WLC knows which AP the client is associated to, it's the only one to have layer 2 information so that's the one doing layer 2 authentication (wpa psk or mac filtering).
  The way to "centralize" for you would be to have the mac addresses on a radius server or to push the mac addresses on the controllers via WCS.
  Hope this clarifies,
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• MAC Authentication + Windows Server 2008 R2 Radius server

  Hello there,
  I have been trying to configure the MAC Authentication on Windows Server Network Policy Server but no success. Details on my configuration can be find below.
  I have firstly enabled the Mac Authentication on 3com switch 4400 model.
  enabling  -> Mac-authentication
  enabling authentication mode -> UsernameAsMacAddress
  configuring a domain - mac-authentication domain abc.local.
  I left the default Vlan (Vlan1)
  While on my DC, I created a user
  username: 00-00-00-00-00-00
  password: 00-00-00-00-00-00
  Lastly on the NPS Server, I configured the 802.1x Wired configuration, I configured the NAS (Radius Client) whici is the 3com Switch.
  After completing the configurations, I turned on my computer with and logged on to the domain abc\00-00-00-00-00-00 with the password. But there was no success when the computer tried to connect to the network looking for DHCP services to obtain IP address.
  On the NPS event service, I got:
  User:
  Security ID:
  NULL SID
  Account Name:
  [email protected]
  Account Domain:
  abc
  Fully Qualified Account Name:
  abc\00-00-00-00-00-00
  Client Machine:
  Security ID:
  NULL SID
  Account Name:
  Fully Qualified Account Name:
  OS-Version:
  Called Station Identifier:
  Calling Station Identifier:
  0000-0000-0000
  NAS:
  NAS IPv4 Address:
  xxx.xxx.xx.xx
  NAS IPv6 Address:
  NAS Identifier:
  00aa00aa00aa
  NAS Port-Type:
  Ethernet
  NAS Port:
  12345678
  RADIUS Client:
  Client Friendly Name:
  3com
  Client IP Address:
  xxx.xxx.xx.xx
  Authentication Details:
  Connection Request Policy Name:
  NAP 802.1X (Wired) 2
  Network Policy Name:
  Authentication Provider:
  Windows
  Authentication Server:
    server.abc.local
  Authentication Type:
  PAP
  EAP Type:
  Account Session Identifier:
  Logging Results:
  Accounting information was written to the local log file.
  Reason Code:
  16
  Reason:
  Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
  All I could find was " Authentication failed due to the reason appeared in the reason code but I am very sure that the name and the password are the same. I hope someone can help me out. 
  Thanks.

  Hi,
  Thanks for your post.
  MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and
  password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names.
  For more detailed information about MAC Address Authorization, please refer to the below article. Hope it helps.
  MAC Address Authorization
  http://technet.microsoft.com/en-us/library/dd197535(WS.10).aspx
  Best Regards,
  Aiden
  Aiden Cao
  TechNet Community Support

• Cisco 1941W configure mac authentication in wireless

  Dear all, 
      Appreciate that anyone know how to configure mac authentication in 1941w router?
      Perhaps can show me some example of configure mac authentication in 1941w router. 

  Hi,
  Below is the configuration for mac authentication bypass on cisco 1900 router
  c1921> enable
  c1921# configure terminal
  c1921(conf)#interface gigabitethernet slot / port
  c1921(conf-if)# authentication port-control auto
  c1921(conf-if)# mab
  c1921(conf-if)# end
  > You can verify using the below command
  c1921#show authentication sessions 
  Interface MAC Address Method Domain Status Session ID
  Gi0/1 0201.0201.0201 mab DATA Authz Success 0303030300000004002500A8
  c1921#show authentication sessions interface Gi0/1
   Interface: GigabitEthernet0/1
   MAC Address: 0201.0201.0201
   IP Address: Unknown
   User-Name: 02-01-02-01-02-01
   Status: Authz Success
  Domain: DATA
   Oper host mode: single-host
   Oper control dir: both
   Authorized By: Authentication Server
   Vlan Group: N/A
   AAA Policies: 
   Session timeout: N/A
   Idle timeout: N/A
   Common Session ID: 0303030300000004002500A8
   Acct Session ID: 0x00000007
   Handle: 0x3D000005
  Runnable methods list:
   Method State
   mab Authc Success
  For more details refer the below link:
  http://www.cisco.com/c/en/us/td/docs/routers/access/1900/software/configuration/guide/Software_Configuration/conf.pdf
  Thanks & Regards
  Sandeep

• Failed to remove Authentication Server on Wireless LAN controller

  Cisco WLC 2500, software version: 7.6.100.0
  I tried to remove the decommissioned Authentication Server from WLC web GUI but got popup window saying:
  "Authentication Server could not be deleted as it is being used by either a WLAN ...."
  I double checked on GUI and configs (show run-config commands) and the Authentication Server was NOT used anywhere.
  Plus, I am unable to change the IP address so I can re-purpose it.
  Any resolution?

  1. Save the configuration.
  2. Upload the Configuration to a computer.
  3. Edit the Config file in a Notepad and remove the RADIUS server IP address.
  4. Save the new file (do not override the backup, you may needed)
  5. Download the customized configuration file into the WLC.
  6. The WLC will automatically reboot.
  7. It will boot up with the new configuration file without the RADIUS server.

• Is the Snow Leopard Mac Mini Server the right solution for my office?

  I'm the de facto "sysadmin" for my small office, which usually just means I set up the wireless, configure network printing, troubleshoot little issues with Mail and MS Office products.
  Currently, we have 4 employees all on iMacs. We share files through a slapped-together setup, where there is a public folder on our owner's iMac and we all share files there. There are a few problems with this:
  - If the owner's computer is off, no-one can get to the shared files.
  - The owner's computer has had some strange "permissions" issues so sometimes files in the "Public" shared folder end up being read-only, or "read & write" for "nobody".
  - A 5th employee telecommutes on an iMac, and can't access the shared folder or files.
  So, we're considering getting a Mac Mini Server to do file storage and sharing, both locally and with telecommuting employees (of which there may be more in the future).
  - Is this the best solution to our needs - really just file sharing, no web hosting or anything like that?
  - What level of access control / authentication can we do on the Server? For example, could we have a password protected folder on the server to restrict access?
  - Would we need to upgrade our standard DSL service if we want to share files on the server with folks not on the local network?
  - Am I biting off more than I can chew here, given that my technical knowledge is slim but I am the most computer-literate of anyone in the office, so I will need to trouble-shoot any issues that come up with the server?

  For your stated goal, network-attached storage (NAS) or an always-on Mac client would be a simpler solution. Either preferably with RAID, and with provisions and storage for periodic archives.
  A Mac OS X Server box is overkill. The Mac client boxes have 10-client sharing.
  If you want single-signon and shared directory services and mail and web and various of the other pieces and services that are available within, then you can grow into a Mac OS X Server box.
  A server is rather more to manage, regardless of what you choose. You're getting DNS and networking and other core pieces, minimally, and you're also responsible for many of the configuration settings and services and details that a client box receives from a server box. And you're definitely dealing with protections and such across multiple boxes.
  For some other perspectives, there are various previous discussions of this posted around the forums. A search that includes NAS should kick over a few of these; this is a typical low-end alternative to running a server.

• Wireless Security & Authentication methods

  Hi,
  I've some experience on WLAN Networks, but I would like to have your opinion around Wireless Security implemenations.
  We have several sites where we have some Cisco Access points running IOS. We are currently doing WEP 128b, with Mac-Authentication against a central ACS Server.
  But having fixed WEP, and mac registrations is not very practical.
  Do you know about any method to have authentication against Active Directory (passing through the Cisco ACS), and Dynamic WEP Keys ?
  Any recommendation is welcome.
  Of course with this we would like to bring up our level of security.
  Thanks a lot for all,
  Best Regards,
  Jorge

  802.1x/EAP authentication is the most popular authentication method in wireless. The following documents explain how to configure EAP authentication.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a13.shtml

• Best way for wireless guest authentication

  Hi
  Can anyone tell me what a good way to authenticate guest wireless in my workplace, we currently use mac auth and usernames in the controller, which is not Cisco.
  What solutions are out there for this, ie something separate to the controller like a radius or authentication server, we may want the guests to register themselves by providing there mobile number etc
  Any ideas?

  When you want to provide guest authentication and then you want certain fields for the user to enter, guest access is best when there is a portal page. When you want guest to enter information like cell number etc, then you either need to find a 3rd party captive portal software, or external webauth server or if you have Cisco wlc, you use ISE.
  Your final requirements will determine what solution can or can't work.
  Sent from Cisco Technical Support iPhone App

• 1130 WPA-PSK Radius Mac Authentication

  I am trying to get our Cisco 1130 AP's to use Radius MAC Authentication using a freeradius server. We have been successful with other AP's (Proxim, Netgear) but haven't been able to get the Cisco 1130 to work.
  I have attached 2 files. One is the running config, and the other is a debug of radius.
  This is what the freeradius log says.
  Thu Nov 6 02:48:46 2008 : Auth: Login OK: [004096a3e012/004096a3e012] (from client 10.80.0.17 port 291 cli 00-40-96-A3-E0-12)
  I would appreciate any help that anyone is willing to give.

  Use the wpa-psk SSID interface configuration command to configure a pre-shared key for use in WPA authenticated key management. To support WPA on a wireless LAN where 802.1x-based authentication is not available, you must configure a pre-shared key for the SSID.
  wpa-psk { hex | ascii } [ 0 | 7 ] encryption-key
  but make sure that This command is not supported on bridges.

• Mac mini Server as a gateway/router

  I'd like to make my Mac mini server my main gateway for my office.
  I'd like it to perform the following tasks:
  - DHCP & NAT for sharing an Internet connection
  - a wireless access point so that no AEBS or TC is necessary
  - VPN for access to the Daylite server that will be running on it as well as file sharing for remote users
  My goal here is to create a single Internet alliance that will prevent me from having to use a separate router and will provide secure remote access to the LAN.
  I have a Mac mini server and a USB Ethernet adapter. I connected the USB Ethernet adapter to the WAN which has a static IP. And the built in Ethernet to the gigabit switch for the LAN.
  So far, I have two problems:
  1) I can't seem to VPN in from remote despite my best efforts of setting this up with the gateway assistant.
  2) I have no idea on how I can use the built-in airport card to become a wireless access point for the wireless clients in the office. I chose the airport in the gateway assistant but wireless clients are on a different subnet and can't see the LAN resources.
  I'm interested in hearing other ideas and strategies on how to use the mms in this way. Is anyone else doing this? Everyone seems to want to use an AEBS or TC in addition to the mms and maybe I'm missing something but why would you need one?

  It wasn't so much the $50 that I was worried about... just the redundancy... having both an OS X Server AND an Airport Extreme (or third-party router) seemed like such a waste if the server could be made to do it all.
  So, at this point, I see two options:
  1) Put an AEBS on the gigabit switch (LAN) and turn off everything... essentially reducing it down to a wireless access point... and put it in Bridge mode so that wireless clients can see the wired LAN.
  2) Use the AEBS as my gateway and DMZ the server... turning off the gateway features (DNS, DHCP, NAT, etc...) on the server. This would remove the need for the USB Ethernet adapter but would I still be able to configure it as a VPN?
  Either one seems a shame. I was really hoping for a single-box solution to sell my clients.
  The other problem is still happening... for some reason, I can't connect to the VPN... it doesn't even seem to be getting to the authentication part. It simply says, "The Server is not responding". This is strange since other services for which I've forwarded specific ports seem to respond without issue. I assumed that all the neccessary ports would be opened when I turned on the VPN feature... did I miss something?