ACS 4.0 802.1X Ibns Automatic MAC Learning

Unanswered Question


I've configured 802.1x ibns on 2960 switch, which authenticates correctly to a ACS 4.0 server.

In order to build groups containing the EXISTING topology (which mac addresses are currently connected to which switch) I need to learn those mac-addresses

in order to store them in the ACS 4.0 Database.

Is there a way to do it automatically ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jafrazie Tue, 03/13/2007 - 14:15
User Badges:
  • Cisco Employee,

If you're using 802.1X as your authentication method, it need not matter what a MAC address is, since 802.1X does not authenticate MAC addresses.

So can you clarify what your expectation is here?

I am Talking about a Mac Authentication Bypass 802.1X IBNS - Fallback mode.

Which sends the Mac address to the ACS.

And It's working now perfectly.

I want just for a one time to learn all the mac addresses from all the switches, and to store them at the Mac database of the acs, because Now I have to .learn every mac like Show mac-adderss-table or Sh arp from the switch and enter manually those mac address table in Network Access Profiles. Mac table.

Because Later on I want to do Network access restrictions to new Mac addresses that won't enter. And I've already know to config this.

All I am asking is one time learning all the mac-addresses in the organization

Is there a way ?

jafrazie Wed, 03/14/2007 - 08:21
User Badges:
  • Cisco Employee,

Ah yes .. OK, cool.

MAC Authentication Bypass doesn't support a provisioning or learning mechanism itself. It's just the act of doing the actual authentication.

Example: 802.1X has nothing to do with provisioning a cert on a device. It's just the actual authentication event itself.

So while "it depends" on how to achieve this (there can be numberous ways), you could technically get MAB "to help" with this, and here's how:

Use the Guest-VLAN. When configured along with MAB and 802.1X, the Guest-VLAN is a "failure condition" for MAB itself. So the point is .. even though you have MAB turned on, you can let everything "fail" but the device will ultimately go into the Guest-VLAN anyway just based on the fact that it cannot do 1X. Remember, the Guest-VLAN can be any VLAN you want it to be (can be the same as your regular desktop VLAN for simplicity or ease of deployment). OK, so this way, you don't kill network access day-one, but ultimiately, you also have a nice "authentication failure log" of your MACs with what they are, where they are, etc, etc. on ACS (or whatever your AAA server happens to be).

So while it's not a turn-key scanning, or inventory mgmt system, this can help. You could then purge this log, rip it, and insert the devices into the local db on ACS as user account. Then, you can turn it off (the Guest-VLAN) whenever you may be ready. Or just change the Guest-VLAN, etc.

As a reminder, the gathering of MAC addresses, etc, does not extend trust explicitly. LMS from CiscoWorks can also help as a MAC address gathering tool, and there are plenty of others. However, none of these techniques necessarily verify the entity should be on your corporate network to begin with. It may only prove that it is already there ;-).

But it's a step in the right direction to raise the bar for sure.

Hope this helps,

Thanks for reply,

I Have another question

I currently use ACS 4.0

and in the Network Access profile when a MAC is not in the list so it attach to a user group that I've decided.

I though of idea that MAC address can act like a user.

so I've tried to look in all users that attach to the group and I haven't found the MAC address as a USER.

Also I've tried in csutil for users and groups. and the MAC is not found.

Although in the reports and activity it mentioned that the MAC address attached to the User group.

I guess that it looked for users from the internal/external database. but I am not sure about that.

Is this option avaliable at ACS 4.1 or do you know of another way how can I find the MAC address as a user ?


This Discussion