06-07-2009 08:35 PM - edited 07-03-2021 05:41 PM
Hi,
I'd like to know if there is a way to authenticate using a username with PEAP and in addition restrict the access with the station MAC address. Im using 1230 APs with Cisco Secure ACS authenticating with the Ms AD.
Thanks in advanced
06-08-2009 05:29 AM
Hii ,
DO you have the unified solution with controllers.
If yes , its very simple - just create a ssid with WPA/WPA2 , on the security page you will find the MAC filter checkbox , just click that.
When both 802.1x and MAC filtering are enabled , first check if for MAC , if the MAC is added to the list , it will go for 802.1x auth cis radius.
Thanks
Vinay
06-08-2009 01:38 PM
Thanks Vinay
No, I dont have the unified solution, I have standalone APs (1230) and I'm using PEAP with ACS.
Is there a way to do the same on the standalone APs?
06-08-2009 09:32 PM
Yes , very well possible on autonomous. Just select "Open auth with MAC and EAP" from the ssid page.
for cli here is the sample config (WPA2+Local MAC)
Building configuration...
Current configuration : 2517 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap
!
enable secret 5 $1$SJ3D$ztXO0VxAG0aOnjCZqVDov.
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
server 9.42.24.53 auth-port 1645 acct-port 1646
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
!
dot11 syslog
!
dot11 ssid vinay-test
authentication open mac-address mac_methods eap eap_methods1
authentication network-eap eap_methods1 mac-address mac_methods
authentication key-management wpa version 2
!
!
!
username Cisco password 7 123A0C041104
username 001d7e032db3 password 7 1159495413450E5C57782F267B
username 001d7e032db3 autocommand exit
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
!
encryption mode ciphers aes-ccm
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
!
encryption mode ciphers aes-ccm
!
ssid vinay-test
!
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address dhcp client-id FastEthernet0
no ip route-cache
!
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 9.42.24.53 auth-port 1645 acct-port 1646 key 7 01000307490E12
radius-server vsa send accounting
bridge 1 route ip
!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: