Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
683
Views
0
Helpful
3
Replies

802.1x MAC address authentication

murphychan
Level 1
Level 1

‎05-15-2007 12:18 AM - edited ‎03-05-2019 04:04 PM

Hi all,

I am trying to setup 802.1x port base authentication in the Cisco Cat.2950 switch. I use PEAP in a Windows XP client (authenticate by Windows AD username/password) and Cisco ACS 4.0 as the RADIUS authentication server. Everything is okay. Now, I want to further improve the security. Does anyone know can the user be authenticated by "Windows AD username/password" PLUS "MAC address authentication"? I know I can manually enter the MAC address in each switch, but it is not feasible in our environment because we have many switches and many notebooks. Thanks.

Regards,

Murphy

Labels:
0 Helpful
3 Replies 3

cpembleton
Level 4
Level 4

‎05-15-2007 01:46 PM

Not exactly MAC auth but you can auth the AD computer account.

It's kind of involved setup so I won't go through it all. Hopefully it will put you in the right direction.

Need Certificate (you can use a self-signed one but you need to tell each client not the verify the cert. Network interface authentication tab)

Setup ACS to use external DB (AD)

Setup group mappings

Using radius atts you can assign vlans

This is the most relevant doc I could find on how to set it up. It is for wireless but you can do the same for wired.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

Thanks,

Chad

Please rate if helpful!

0 Helpful

murphychan
Level 1
Level 1
In response to cpembleton

‎05-15-2007 05:20 PM

Hi Chad,

Thank you of your information. FYI, I already setup the ACS, the wired notebook can be authenticated by AD account through 802.1x. My question is: I need to control users must use the Corporate notebooks to connect the switches (Corporate network). If I only use AD account for authenticate, users can use their home notebook to connect the Corporate LAN using his/her AD account. So, I want to check the MAC address of the notebook also, just like the Wireless LAN. Do you or anyone have any idea about it? Thanks.

Regards,

Murphy

0 Helpful

cpembleton
Level 4
Level 4
In response to murphychan

‎05-16-2007 05:04 AM

You missed the part about machine authentication.

In the Windows User database configuration in ACS (External User Databases) you will find a section for machine authentication which may not show up unless you have a cert setup on ACS.

With this section you can configure if machine auth fails it will put the machine on a specific group. This group can be configured to deny the connection.

Use you can use certs for your clients but you'll need a CA infrastructure. Most secure. But you can just use PEAP instead of smartcard or certificate.

Go through the doc I sent as it goes through the basic setup for machine authentication.

Thanks,

Chad

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card