802.1x MAC address authentication

Unanswered Question
May 15th, 2007

Hi all,

I am trying to setup 802.1x port base authentication in the Cisco Cat.2950 switch. I use PEAP in a Windows XP client (authenticate by Windows AD username/password) and Cisco ACS 4.0 as the RADIUS authentication server. Everything is okay. Now, I want to further improve the security. Does anyone know can the user be authenticated by "Windows AD username/password" PLUS "MAC address authentication"? I know I can manually enter the MAC address in each switch, but it is not feasible in our environment because we have many switches and many notebooks. Thanks.

Regards,

Murphy

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cpembleton Tue, 05/15/2007 - 13:46

Not exactly MAC auth but you can auth the AD computer account.

It's kind of involved setup so I won't go through it all. Hopefully it will put you in the right direction.

Need Certificate (you can use a self-signed one but you need to tell each client not the verify the cert. Network interface authentication tab)

Setup ACS to use external DB (AD)

Setup group mappings

Using radius atts you can assign vlans

This is the most relevant doc I could find on how to set it up. It is for wireless but you can do the same for wired.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

Thanks,

Chad

Please rate if helpful!

murphychan Tue, 05/15/2007 - 17:20

Hi Chad,

Thank you of your information. FYI, I already setup the ACS, the wired notebook can be authenticated by AD account through 802.1x. My question is: I need to control users must use the Corporate notebooks to connect the switches (Corporate network). If I only use AD account for authenticate, users can use their home notebook to connect the Corporate LAN using his/her AD account. So, I want to check the MAC address of the notebook also, just like the Wireless LAN. Do you or anyone have any idea about it? Thanks.

Regards,

Murphy

cpembleton Wed, 05/16/2007 - 05:04

You missed the part about machine authentication.

In the Windows User database configuration in ACS (External User Databases) you will find a section for machine authentication which may not show up unless you have a cert setup on ACS.

With this section you can configure if machine auth fails it will put the machine on a specific group. This group can be configured to deny the connection.

Use you can use certs for your clients but you'll need a CA infrastructure. Most secure. But you can just use PEAP instead of smartcard or certificate.

Go through the doc I sent as it goes through the basic setup for machine authentication.

Thanks,

Chad

Actions

This Discussion