Using ACS to authenticate MAC address that appear on switches

Unanswered Question
Jun 12th, 2007

Hello,


Does anyone know of a way to have Cisco switches use the MAC address of devices that connect to them as a username/password combination for authentication via ACS? I want to set up the switches to query ACS as to whether or not to allow devices to pass traffic based on the database of the MAC addresses.


I know I can do this with wireless devices but in this case I can't use any client software or configuration. The switch just needs to see the packet, read the MAC address and query ACS as to allow the traffic to pass or not. Possible?



Thanks in advance. All replies rated!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jagdeep Gambhir Tue, 06/12/2007 - 12:42

Angel,

This is not possible, you can't send the MAC address to radius server via a switch like you can on an AP.


The only way for a MAC to be authenticated by radius server is for the MAC to appear in

the username and password fields of the RADIUS packet and the switches do not have the ability to do this.


However we can configure dot1x on the switch

and do machine or user authentication for which we need user database.


http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_19_ea1/configuration/guide/Sw8021x.html


Another alternative can be port security , but database will not be centralised here,


http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/8.1/configuration/guide/sec_port.html


Hope that helps !


Regards,

Jagdeep

angel-moon Tue, 06/12/2007 - 13:38

Hello Jagdeep,


that got me staryted in the right direction but I need some clarification. It seems that I can restrict access based on MAC addres of the client if I run dot1x on the switch. I can do machine athentication. A couple of questions.


1) Can the authentication be transprent to the end user or device? These needs to be based purley on the packet


2) Can the database be centralized and if so what format does the database have to be in?



Thanks a ton!

Jagdeep Gambhir Wed, 06/13/2007 - 12:32

What do you mean by "authentication transparent to end user " ?


Add Info:


In dot1x world, any host that is not onfigured to accept dot1x EAP packets, i.e not a

supplicant, will get placed in the guest vlan. However there is way for dot1x authentication to authenticate via mac-addresses, and any failed user should just be set as unauthorized.


This is a feature called VMPS that will allow mac-address authentication , however, you

need to be cautions to deploy both dot1x and vmps on the same interface.


Here is VAMPS config guide:



http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225sec/3750scg

/swvlan.htm#wp1212223


VMPS is a way how to keep MAC to VLAN associations inside switch config. Such information can be stored in centralized way on one switch acting as VMPS while other switches will be clients to that server.


But in this case RADIUS server is not involved at all.


Regards,

Jagdeep

scadora Thu, 06/14/2007 - 07:31

If you are doing 802.1X with mac authentication bypass, the switch will send a Radius Access-Request with the username attribute == the host's MAC address in the format hhhhhhhhhhh (all lower case, no white space). The password is the same as the username but encrypted via PAP (or MD5). This is just the same as any PAP user authentication. So the database can be centralized the same way you would for PAP authentication. In ACS, that could be the internal user database or any supported external database (LDAP etc).


The whole process is transparent to the end host. Once 802.1X times out on the port (default 90 seconds but you can adjust it), the switch will learn the MAC of the host from the next packet the host sends. Then the switch will do MAC auth as described above.


Hope that helps,

Shelly

wmblake755 Thu, 06/14/2007 - 09:09

We do this, you can use L2 NAC EOU with Mac auth bypass. Check it out.

Actions

This Discussion