Wireless MAC authentication server
Currently I am doing MAC auth in the AP but since the number of clients are increasing I would like to install a central MAC auth server. What choices I have OR is Cisco ACS the only option?
I'm looking for the same thing... I want to deploy a bunch of new Cisco AiroNet APs, but also have a considerable investment in Lucent/Agere/Wavelan AP-1000s that do RADIUS lookups for MAC addresses. I don't care about WEP key management... I just want to be able to use the same database (even if that means making a different view to format the MAC differently -- the wavelan wants it in xxxxxx-xxxxxx format) to authenticate MAC addresses from... Gave a quick look over documentation, but everything seems to be pushing towards the higher-level encryption/authentication stuff... Anyone out there done what I'm talking about?
Thanks,
-JDN
Similar Messages
-
Cisco aironet 1040: create wireless with wpa2 and mac authentication
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanks
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanksap#show configuration
Using 2085 out of 32768 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid Svez
authentication open mac-address mac_methods
authentication key-management wpa version 2
username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
username 00907a0f2a55 autocommand exit
username administrator privilege 15 password 7 033449040A0620425A0D15564F42
username 0025d3db778b password 7 055B565D74481D0D1B52404A09
username 0025d3db778b autocommand exit
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid Svez
antenna gain 0
station-role root
world-mode legacy
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
end
ap# -
How to do Server 2012 R2 Network Policy Server MAC Authentication without adding ad users?
I have a Network Policy Server running on Server 2012 R2. I have set it up to do certificate and PEAP authentication for our 802.1x wireless authentication
and that works great.
Now I want to add a policy to this server so I can also do MAC address authentication our unauthenticated open wireless ssid so i can assign roles based on the
mac address. I got our Aruba controller setup to send the mac address to the radius server, but the radius server just denies access because I am not sure how to get it to use themsNPCallingStationID attribute.
I have found several ways do to this included adding active directory users for every single MAC address with the mac address as the username and password. I
do not want to do that. This is not an option.
I have also found several posts about using ieee802Device. I can't find a way to get that to work.
I also found a suggestion to use msNPCallingStationID ad attribute. I can easily set this for each user as their mac addresses but how do I configure the
NPS server to use this attribute to authenticate this?
If you have any other ideas on how to get MAC authentication to work, I would greatly appreciate it!
Thank you for your assistance!Hi,
I think you may have some misunderstand about the MAC address Authorization, MAC address authorization is based on the MAC address of the network adapter installed in
the access client computer. Like ANI authorization, MAC address authorization uses the Calling-Station-ID attribute instead of user name and password or certificate-based credentials to identify the user during the connection attempt.
MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network
Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names, therefore you need
add the MAC address as the computer user name and password,
To use the MAC address as user name and password is Cisco® switch require condition, about your switch device please ask your hardware vendor.
If you want to combine the MAC address MAC filtering and
EAP Authentication, you can refer the following related article:
Enhance your 802.1x deployment security with MAC filtering
http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx
More information:
MAC Address Authorization
http://technet.microsoft.com/en-us/library/dd197535(v=ws.10).aspx
Authorization by User and Group
http://technet.microsoft.com/en-us/library/dd197615(v=ws.10).aspx
The similar thread:
NPS: Override User-Name and User Identity Attribute
http://social.technet.microsoft.com/Forums/windowsserver/en-US/6dd983f9-973f-4d23-be0c-032d3a1592d0/nps-override-username-and-user-identity-attribute?forum=winserverNAP
The related third party article:
Configuring IEEE 802.1x Port-Based Authentication
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/sw8021x.html#wp1170569
MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo
Hope this helps. -
Wireless user authentication detail at syslog server
Hi Dear. I configurated wireless network. i want to see my wireless user authentication detail(ip address, username and if it is possibly mac-address) at my syslog server. i do some configuration, the wireless controller send something to my syslog server but i need exctahly the user authentication detail.
how i do that? please help me. thank you veru much.Hi dears. please help me
-
ACS Server MAC Authentication with Windows Database
Has anyone setup an ACS Server 3.2 for MAC authentication using Windows as the authentication. The documentation I found shows how to set it up using the CiscoSecure database. Any help would be appreciated.
Here is the link for setting up MAC authentication using CisoSecure database. There may not be a solution for my setup, but maybe I'll keep hacking away at it and find a resolution.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b3d27.shtml -
I want to make my Mac Mini Server (Lion) visible to the Internet from my home LAN. I have followed the Lion server install wizards and also set up a dynamic DNS at DynDNS.com.
When I enter the Internet address with the proper alias from a web browser, I get dumped into the admin screen of the Linksys wireless router WRT300N. Hint: the WRT300N provides DHCP for the LAN, not the cable modem providing DHCP. The WRT300N has DDNS service set up. NAT and RIP are disabled. The Mac Mini DHCP is reserved.
Suggestions? I could use the Motorola Surfboard SB6121 to provide DHCP but have hesitations.
Point me to the right discussion/article and get me back on track, please.This sounds like a simple port forwarding issue, but I don't understand your LAN setup.
The WRT300N has DDNS service set up. NAT and RIP are disabled.
The chances are, you're running NAT somewhere in your network. If not the WRT then what? If it's your cable modem then you must have port forwarding configured on the cable modem, and that's where you need to focus - change the port forwarding to point to your Mac Mini's address rather than the WRT.
HOWEVER, it is far more common to have the wireless router perform NAT and DHCP, which is why I question your setup.
Not directly related, but:
The Mac Mini DHCP is reserved
Nix this. Your server should be configured manually, with a static IP address, not DHCP, even with a reservation in the DHCP server. The only advantage of DHCP is for dynamic hosts (hence the 'D' in 'DHCP') or if you expect to change your entire local subnet on any kind of frequent basis. The reality is that you can't just change the IP address of Mac OS X Server like this - there are too many dependencies, so it's better to set it manually, knowing that there's a cost (and pain) to change the server's address. -
Wireless Guest and mac authentication
Hi all,
I want to setup a wifi guest network with mac based authentication.
I already have the guest anchor controller and the remote wlc controller (and the mobility tunnel) up and running.
However, i am uncertain where i have to program the mac addresses: on the remote wlc or on the guest controller ? (for local database mac)
It seems my authentication only works if i program the mac address of the 'remote' wlc (the wlc holding the AP).
This is a pitty, as i was hoping to centralise all "appoved" mac addresses on the guest controller and not on each individual wlc seperatly.
Also, suppose i want a radius server to validate the mac address. Which controller is going to sent the radius request ? the wlc controller
managing the AP or the guest anchor controller ?
Does the remote wlc also need to be configured with "Layer2 security: none"+"mac authentication" (the same as the anchor controller) or can i put "Layer2:none" and put the anchor controller on "Layer2: none"+mac authentication ?
regards,
GeertHi Geert,
The rule is straightforward : layer 2 is handled by foreign WLC (one holding the AP) and layer 3 handled by the anchor (the guest).
This means the anchor WLC handles the dhcp/ip address, it handles the web authentication etc ...
But only the foreign WLC knows which AP the client is associated to, it's the only one to have layer 2 information so that's the one doing layer 2 authentication (wpa psk or mac filtering).
The way to "centralize" for you would be to have the mac addresses on a radius server or to push the mac addresses on the controllers via WCS.
Hope this clarifies,
Nicolas
===
Don't forget to rate answers that you find useful -
MAC Authentication + Windows Server 2008 R2 Radius server
Hello there,
I have been trying to configure the MAC Authentication on Windows Server Network Policy Server but no success. Details on my configuration can be find below.
I have firstly enabled the Mac Authentication on 3com switch 4400 model.
enabling -> Mac-authentication
enabling authentication mode -> UsernameAsMacAddress
configuring a domain - mac-authentication domain abc.local.
I left the default Vlan (Vlan1)
While on my DC, I created a user
username: 00-00-00-00-00-00
password: 00-00-00-00-00-00
Lastly on the NPS Server, I configured the 802.1x Wired configuration, I configured the NAS (Radius Client) whici is the 3com Switch.
After completing the configurations, I turned on my computer with and logged on to the domain abc\00-00-00-00-00-00 with the password. But there was no success when the computer tried to connect to the network looking for DHCP services to obtain IP address.
On the NPS event service, I got:
User:
Security ID:
NULL SID
Account Name:
[email protected]
Account Domain:
abc
Fully Qualified Account Name:
abc\00-00-00-00-00-00
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name:
OS-Version:
Called Station Identifier:
Calling Station Identifier:
0000-0000-0000
NAS:
NAS IPv4 Address:
xxx.xxx.xx.xx
NAS IPv6 Address:
NAS Identifier:
00aa00aa00aa
NAS Port-Type:
Ethernet
NAS Port:
12345678
RADIUS Client:
Client Friendly Name:
3com
Client IP Address:
xxx.xxx.xx.xx
Authentication Details:
Connection Request Policy Name:
NAP 802.1X (Wired) 2
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
server.abc.local
Authentication Type:
PAP
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
All I could find was " Authentication failed due to the reason appeared in the reason code but I am very sure that the name and the password are the same. I hope someone can help me out.
Thanks.Hi,
Thanks for your post.
MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and
password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names.
For more detailed information about MAC Address Authorization, please refer to the below article. Hope it helps.
MAC Address Authorization
http://technet.microsoft.com/en-us/library/dd197535(WS.10).aspx
Best Regards,
Aiden
Aiden Cao
TechNet Community Support -
Cisco 1941W configure mac authentication in wireless
Dear all,
Appreciate that anyone know how to configure mac authentication in 1941w router?
Perhaps can show me some example of configure mac authentication in 1941w router.Hi,
Below is the configuration for mac authentication bypass on cisco 1900 router
c1921> enable
c1921# configure terminal
c1921(conf)#interface gigabitethernet slot / port
c1921(conf-if)# authentication port-control auto
c1921(conf-if)# mab
c1921(conf-if)# end
> You can verify using the below command
c1921#show authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi0/1 0201.0201.0201 mab DATA Authz Success 0303030300000004002500A8
c1921#show authentication sessions interface Gi0/1
Interface: GigabitEthernet0/1
MAC Address: 0201.0201.0201
IP Address: Unknown
User-Name: 02-01-02-01-02-01
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
AAA Policies:
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0303030300000004002500A8
Acct Session ID: 0x00000007
Handle: 0x3D000005
Runnable methods list:
Method State
mab Authc Success
For more details refer the below link:
http://www.cisco.com/c/en/us/td/docs/routers/access/1900/software/configuration/guide/Software_Configuration/conf.pdf
Thanks & Regards
Sandeep -
Failed to remove Authentication Server on Wireless LAN controller
Cisco WLC 2500, software version: 7.6.100.0
I tried to remove the decommissioned Authentication Server from WLC web GUI but got popup window saying:
"Authentication Server could not be deleted as it is being used by either a WLAN ...."
I double checked on GUI and configs (show run-config commands) and the Authentication Server was NOT used anywhere.
Plus, I am unable to change the IP address so I can re-purpose it.
Any resolution?1. Save the configuration.
2. Upload the Configuration to a computer.
3. Edit the Config file in a Notepad and remove the RADIUS server IP address.
4. Save the new file (do not override the backup, you may needed)
5. Download the customized configuration file into the WLC.
6. The WLC will automatically reboot.
7. It will boot up with the new configuration file without the RADIUS server. -
Is the Snow Leopard Mac Mini Server the right solution for my office?
I'm the de facto "sysadmin" for my small office, which usually just means I set up the wireless, configure network printing, troubleshoot little issues with Mail and MS Office products.
Currently, we have 4 employees all on iMacs. We share files through a slapped-together setup, where there is a public folder on our owner's iMac and we all share files there. There are a few problems with this:
- If the owner's computer is off, no-one can get to the shared files.
- The owner's computer has had some strange "permissions" issues so sometimes files in the "Public" shared folder end up being read-only, or "read & write" for "nobody".
- A 5th employee telecommutes on an iMac, and can't access the shared folder or files.
So, we're considering getting a Mac Mini Server to do file storage and sharing, both locally and with telecommuting employees (of which there may be more in the future).
- Is this the best solution to our needs - really just file sharing, no web hosting or anything like that?
- What level of access control / authentication can we do on the Server? For example, could we have a password protected folder on the server to restrict access?
- Would we need to upgrade our standard DSL service if we want to share files on the server with folks not on the local network?
- Am I biting off more than I can chew here, given that my technical knowledge is slim but I am the most computer-literate of anyone in the office, so I will need to trouble-shoot any issues that come up with the server?For your stated goal, network-attached storage (NAS) or an always-on Mac client would be a simpler solution. Either preferably with RAID, and with provisions and storage for periodic archives.
A Mac OS X Server box is overkill. The Mac client boxes have 10-client sharing.
If you want single-signon and shared directory services and mail and web and various of the other pieces and services that are available within, then you can grow into a Mac OS X Server box.
A server is rather more to manage, regardless of what you choose. You're getting DNS and networking and other core pieces, minimally, and you're also responsible for many of the configuration settings and services and details that a client box receives from a server box. And you're definitely dealing with protections and such across multiple boxes.
For some other perspectives, there are various previous discussions of this posted around the forums. A search that includes NAS should kick over a few of these; this is a typical low-end alternative to running a server. -
Wireless Security & Authentication methods
Hi,
I've some experience on WLAN Networks, but I would like to have your opinion around Wireless Security implemenations.
We have several sites where we have some Cisco Access points running IOS. We are currently doing WEP 128b, with Mac-Authentication against a central ACS Server.
But having fixed WEP, and mac registrations is not very practical.
Do you know about any method to have authentication against Active Directory (passing through the Cisco ACS), and Dynamic WEP Keys ?
Any recommendation is welcome.
Of course with this we would like to bring up our level of security.
Thanks a lot for all,
Best Regards,
Jorge802.1x/EAP authentication is the most popular authentication method in wireless. The following documents explain how to configure EAP authentication.
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a13.shtml -
Best way for wireless guest authentication
Hi
Can anyone tell me what a good way to authenticate guest wireless in my workplace, we currently use mac auth and usernames in the controller, which is not Cisco.
What solutions are out there for this, ie something separate to the controller like a radius or authentication server, we may want the guests to register themselves by providing there mobile number etc
Any ideas?When you want to provide guest authentication and then you want certain fields for the user to enter, guest access is best when there is a portal page. When you want guest to enter information like cell number etc, then you either need to find a 3rd party captive portal software, or external webauth server or if you have Cisco wlc, you use ISE.
Your final requirements will determine what solution can or can't work.
Sent from Cisco Technical Support iPhone App -
1130 WPA-PSK Radius Mac Authentication
I am trying to get our Cisco 1130 AP's to use Radius MAC Authentication using a freeradius server. We have been successful with other AP's (Proxim, Netgear) but haven't been able to get the Cisco 1130 to work.
I have attached 2 files. One is the running config, and the other is a debug of radius.
This is what the freeradius log says.
Thu Nov 6 02:48:46 2008 : Auth: Login OK: [004096a3e012/004096a3e012] (from client 10.80.0.17 port 291 cli 00-40-96-A3-E0-12)
I would appreciate any help that anyone is willing to give.Use the wpa-psk SSID interface configuration command to configure a pre-shared key for use in WPA authenticated key management. To support WPA on a wireless LAN where 802.1x-based authentication is not available, you must configure a pre-shared key for the SSID.
wpa-psk { hex | ascii } [ 0 | 7 ] encryption-key
but make sure that This command is not supported on bridges. -
Mac mini Server as a gateway/router
I'd like to make my Mac mini server my main gateway for my office.
I'd like it to perform the following tasks:
- DHCP & NAT for sharing an Internet connection
- a wireless access point so that no AEBS or TC is necessary
- VPN for access to the Daylite server that will be running on it as well as file sharing for remote users
My goal here is to create a single Internet alliance that will prevent me from having to use a separate router and will provide secure remote access to the LAN.
I have a Mac mini server and a USB Ethernet adapter. I connected the USB Ethernet adapter to the WAN which has a static IP. And the built in Ethernet to the gigabit switch for the LAN.
So far, I have two problems:
1) I can't seem to VPN in from remote despite my best efforts of setting this up with the gateway assistant.
2) I have no idea on how I can use the built-in airport card to become a wireless access point for the wireless clients in the office. I chose the airport in the gateway assistant but wireless clients are on a different subnet and can't see the LAN resources.
I'm interested in hearing other ideas and strategies on how to use the mms in this way. Is anyone else doing this? Everyone seems to want to use an AEBS or TC in addition to the mms and maybe I'm missing something but why would you need one?It wasn't so much the $50 that I was worried about... just the redundancy... having both an OS X Server AND an Airport Extreme (or third-party router) seemed like such a waste if the server could be made to do it all.
So, at this point, I see two options:
1) Put an AEBS on the gigabit switch (LAN) and turn off everything... essentially reducing it down to a wireless access point... and put it in Bridge mode so that wireless clients can see the wired LAN.
2) Use the AEBS as my gateway and DMZ the server... turning off the gateway features (DNS, DHCP, NAT, etc...) on the server. This would remove the need for the USB Ethernet adapter but would I still be able to configure it as a VPN?
Either one seems a shame. I was really hoping for a single-box solution to sell my clients.
The other problem is still happening... for some reason, I can't connect to the VPN... it doesn't even seem to be getting to the authentication part. It simply says, "The Server is not responding". This is strange since other services for which I've forwarded specific ports seem to respond without issue. I assumed that all the neccessary ports would be opened when I turned on the VPN feature... did I miss something?
Maybe you are looking for
-
Old and new video podcasts no longer sync and play
Since updating Itunes and software on my Ipod classic, the ipod no longer plays video podcasts. I know there was a problem with newer podcasts in HD and so on, but even the old format doesn't play. can anyone help?
-
How to identify WAP-4410N accesspoints in a network
Hi all, The scenario is as follows. We have installed 20-25 WAP-4410N Accesspoints in the network. No security or static Ip address for WAP-4410N accesspoints were configured. Now we need to configure security for all the accesspoints.The issue is
-
Hi All, Any thoughts on why we get redo generated during a Insert operation with /*+ APPEND */ hint when having the DB in archive log mode. And same statement generating very very less redo when the DB is in no archive log mode. Is the redo generatio
-
How can I record a project that's about 2 hrs long ?
That and keeping the quality on par with tv
-
hi since moving over to the new bt email,at least one in every 10 emails cant be read,i get "read error" an error occurred while reading email-generic error,what can i do?