PEAP with MAC

gustavo.pena · ‎06-07-2009

Hi,

I'd like to know if there is a way to authenticate using a username with PEAP and in addition restrict the access with the station MAC address. Im using 1230 APs with Cisco Secure ACS authenticating with the Ms AD.

Thanks in advanced

Vinay Saini · ‎06-08-2009

Hii ,

DO you have the unified solution with controllers.

If yes , its very simple - just create a ssid with WPA/WPA2 , on the security page you will find the MAC filter checkbox , just click that.

When both 802.1x and MAC filtering are enabled , first check if for MAC , if the MAC is added to the list , it will go for 802.1x auth cis radius.

Thanks

Vinay

gustavo.pena · ‎06-08-2009

Thanks Vinay

No, I dont have the unified solution, I have standalone APs (1230) and I'm using PEAP with ACS.

Is there a way to do the same on the standalone APs?

Vinay Saini · ‎06-08-2009

Yes , very well possible on autonomous. Just select "Open auth with MAC and EAP" from the ssid page.

for cli here is the sample config (WPA2+Local MAC)

Building configuration...

Current configuration : 2517 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$SJ3D$ztXO0VxAG0aOnjCZqVDov.

!

aaa new-model

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap1

server 9.42.24.53 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods1 group rad_eap1

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

dot11 syslog

!

dot11 ssid vinay-test

authentication open mac-address mac_methods eap eap_methods1

authentication network-eap eap_methods1 mac-address mac_methods

authentication key-management wpa version 2

!

username Cisco password 7 123A0C041104

username 001d7e032db3 password 7 1159495413450E5C57782F267B

username 001d7e032db3 autocommand exit

!

bridge irb

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

!

encryption mode ciphers aes-ccm

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid vinay-test

!

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address dhcp client-id FastEthernet0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server host 9.42.24.53 auth-port 1645 acct-port 1646 key 7 01000307490E12

radius-server vsa send accounting

bridge 1 route ip

!