×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Configuring MAB in ACS 5.1

Unanswered Question
Oct 14th, 2010
User Badges:

Does anyone have a step by step guide or instructions for configuring MAB on ACS 5.1?  I'm new to this version and the instructions in the user guide are as clear as mud....

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ewood2624 Thu, 10/21/2010 - 14:05
User Badges:

Thanks for the reference.  I do have one other question.  When creating the service selection policy in access policies>service selection rules, which compound conditions should I have to use MAB?  I've tried a variety of different settings and everyone keeps getting skipped during authentication.


Thanks in Advance!

Nicolas Darchis Thu, 10/21/2010 - 22:51
User Badges:
  • Cisco Employee,

The only thing that identifies MAB is the service-type attribute being of value "10".

Attention that this is not true if you are using MAB-EAP. That one is just like an eap authentication so impossible to differentiate apart from the fact that the username=password=mac address.


Hope this helps.

Nicolas

ewood2624 Thu, 10/21/2010 - 23:14
User Badges:

I have call check selected for the MAB and it is referenced to the hosts

identity store.  I can only make it work if I use the

test username and password that was created in the user identity store.  I've attached some screen shots of what I've got set up initially. Any help would be appreciated....


Thanks in advance....

Tiago Antunes Thu, 10/21/2010 - 23:25
User Badges:
  • Cisco Employee,

We see hit count 6 in the MAB service so 6 RADIUS ACCESS requests already hit it.

Now on the Authorization section, hit count is 0 so the authentication against internal hosts is failing...

Can you please show us what is the failure message on the Monitoring and Reports view of the Radius authentication?

Also, can you show us how you have defined the host in the Internal Hosts DB?


HTH,

Tiago


--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

ewood2624 Fri, 10/22/2010 - 11:57
User Badges:

Here are some more screen shots of our user and host DB.  The main group I want to mac auth is the iphone/ipad group.

Attachment: 
Tiago Antunes Fri, 10/22/2010 - 14:32
User Badges:
  • Cisco Employee,

Ok, the host seem to be ok.


Can you please check what is the error message of the failed authentication when you do a MAB test?

You can checl the monitoring logs for the Radius Authentications.


If you could share these logs with us it would be very usefull.


Thanks,
Tiago


--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

ewood2624 Mon, 10/25/2010 - 09:53
User Badges:

The six authentications that were on the screen shot were with local username and

passwords.  Can the ACS authenticate a device with the MAB DB first, then AD?

Tiago Antunes Tue, 10/26/2010 - 06:42
User Badges:
  • Cisco Employee,

Hi,


You can authenticate hosts with ACS internal DB or AD, however please note that if you want to do MAB in AD you need to configure users with the mac address of the machine in the same way you create the users on ACS.


On the other hand if the goal is to authenticate the hosts with the hostname itself, it is diferent from MAB, and you can use the AD DB if the PCs are registered to the domain, whithout any further configuration on the AD side.


HTH,
Tiago



--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

ewood2624 Fri, 10/29/2010 - 07:52
User Badges:

I've tried to use the mac address as the username and password, but would have to define the same user attributes for the machine to match the user.  Here's the scenerio that we want to create:


User has an AD account and both an iPhone and iPad.  When the user signs in using thier AD credentials to the iPhone, ACS redirects the user to a specific vlan based on the mac.  The user then tried to sign in using the same AD credentials to an iPad, but ACS sees the mac and redirects it to a different vlan.


Is there a way to do this?

ewood2624 Thu, 11/04/2010 - 13:09
User Badges:

I figured it out....You have to use end station filter groups as mac filters, then you can use AD as your Identity in your access policy.  You can use the End Station Filter condition to match your mac filter to your authorization profile.

Actions

This Discussion