PEAP with MAC

Unanswered Question
Jun 7th, 2009

Hi,

I'd like to know if there is a way to authenticate using a username with PEAP and in addition restrict the access with the station MAC address. Im using 1230 APs with Cisco Secure ACS authenticating with the Ms AD.

Thanks in advanced

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vinay Saini Mon, 06/08/2009 - 05:29

Hii ,

DO you have the unified solution with controllers.

If yes , its very simple - just create a ssid with WPA/WPA2 , on the security page you will find the MAC filter checkbox , just click that.

When both 802.1x and MAC filtering are enabled , first check if for MAC , if the MAC is added to the list , it will go for 802.1x auth cis radius.

Thanks

Vinay

gustavo.pena Mon, 06/08/2009 - 13:38

Thanks Vinay

No, I dont have the unified solution, I have standalone APs (1230) and I'm using PEAP with ACS.

Is there a way to do the same on the standalone APs?

Vinay Saini Mon, 06/08/2009 - 21:32

Yes , very well possible on autonomous. Just select "Open auth with MAC and EAP" from the ssid page.

for cli here is the sample config (WPA2+Local MAC)

Building configuration...

Current configuration : 2517 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$SJ3D$ztXO0VxAG0aOnjCZqVDov.

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap1

server 9.42.24.53 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods1 group rad_eap1

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

!

dot11 syslog

!

dot11 ssid vinay-test

authentication open mac-address mac_methods eap eap_methods1

authentication network-eap eap_methods1 mac-address mac_methods

authentication key-management wpa version 2

!

!

!

username Cisco password 7 123A0C041104

username 001d7e032db3 password 7 1159495413450E5C57782F267B

username 001d7e032db3 autocommand exit

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

!

encryption mode ciphers aes-ccm

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid vinay-test

!

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address dhcp client-id FastEthernet0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server host 9.42.24.53 auth-port 1645 acct-port 1646 key 7 01000307490E12

radius-server vsa send accounting

bridge 1 route ip

!

Actions

This Discussion

 

 

Trending Topics - Security & Network