cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3091
Views
5
Helpful
11
Replies

Configuring MAB in ACS 5.1

ewood2624
Level 5
Level 5

Does anyone have a step by step guide or instructions for configuring MAB on ACS 5.1?  I'm new to this version and the instructions in the user guide are as clear as mud....

11 Replies 11

Tiago Antunes
Cisco Employee
Cisco Employee

Hi,

Here is a nice one: https://supportforums.cisco.com/docs/DOC-13545.

HTH,

Tiago

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

Thanks for the reference.  I do have one other question.  When creating the service selection policy in access policies>service selection rules, which compound conditions should I have to use MAB?  I've tried a variety of different settings and everyone keeps getting skipped during authentication.

Thanks in Advance!

The only thing that identifies MAB is the service-type attribute being of value "10".

Attention that this is not true if you are using MAB-EAP. That one is just like an eap authentication so impossible to differentiate apart from the fact that the username=password=mac address.

Hope this helps.

Nicolas

I have call check selected for the MAB and it is referenced to the hosts

identity store.  I can only make it work if I use the

test username and password that was created in the user identity store.  I've attached some screen shots of what I've got set up initially. Any help would be appreciated....

Thanks in advance....

We see hit count 6 in the MAB service so 6 RADIUS ACCESS requests already hit it.

Now on the Authorization section, hit count is 0 so the authentication against internal hosts is failing...

Can you please show us what is the failure message on the Monitoring and Reports view of the Radius authentication?

Also, can you show us how you have defined the host in the Internal Hosts DB?

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Here are some more screen shots of our user and host DB.  The main group I want to mac auth is the iphone/ipad group.

Ok, the host seem to be ok.

Can you please check what is the error message of the failed authentication when you do a MAB test?

You can checl the monitoring logs for the Radius Authentications.

If you could share these logs with us it would be very usefull.

Thanks,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

The six authentications that were on the screen shot were with local username and

passwords.  Can the ACS authenticate a device with the MAB DB first, then AD?

Hi,

You can authenticate hosts with ACS internal DB or AD, however please note that if you want to do MAB in AD you need to configure users with the mac address of the machine in the same way you create the users on ACS.

On the other hand if the goal is to authenticate the hosts with the hostname itself, it is diferent from MAB, and you can use the AD DB if the PCs are registered to the domain, whithout any further configuration on the AD side.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

I've tried to use the mac address as the username and password, but would have to define the same user attributes for the machine to match the user.  Here's the scenerio that we want to create:

User has an AD account and both an iPhone and iPad.  When the user signs in using thier AD credentials to the iPhone, ACS redirects the user to a specific vlan based on the mac.  The user then tried to sign in using the same AD credentials to an iPad, but ACS sees the mac and redirects it to a different vlan.

Is there a way to do this?

I figured it out....You have to use end station filter groups as mac filters, then you can use AD as your Identity in your access policy.  You can use the End Station Filter condition to match your mac filter to your authorization profile.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: