Tarik - I did not understand this:

"the device username is used as the mac address"

what do you exactly mean?

Rating useful replies is more useful than saying "Thank you"

I was referring to the mac-filtering operation and how the wlc will send the mac address as the username and password to the radius server. I was referring to the device as the WLC and not the client which lead to the confusion on my end.

Thanks for bringing this up for clarification.

Tarik Admani
*Please rate helpful posts*

Thanks Tarik for clarification.

But I am a bit confused now.

You said that the device mac address is used instead the username, and you mean the WLC when you say the device? am I understanding correctly?

or (what I think you mean is) the WLC sends the user's request and put the user's mac address instead of the username when it sends the request to the ACS. right?

one question on the side, how will it behave if you have both 802.1x (with EAP) and MAC filter both configured under the SSID of the WLC?

Thanks.

Amjad

Rating useful replies is more useful than saying "Thank you"

or (what I think you mean is) the WLC sends the user's request and put  the user's mac address instead of the username when it sends the request  to the ACS. right?

That is correct

one question on the side, how will it behave if you have both 802.1x  (with EAP) and MAC filter both configured under the SSID of the WLC?

I have not tested the EAP portion but this is documented to be an "AND" scenario where both should succeed in order for access to be granted. i have tested this where PSK will work in conjuction with mac-filtering.

I know in my experience when I leverage Radius NAC (for ISE deployments), I can only use mac-filtering and not any other form of PSK or EAP with mac-filtering, i dont know if this has changed since I tested this on the 7.4 release.

thanks,

Tarik Admani
*Please rate helpful posts*

Well,

The point is, if you'd like to choose 802.1x with MAC filtering with ACS 5.x for example, there will be only one policy that will match the request; either 802.1x or MAC, but not both.

This is the challenging point.

Rating useful replies is more useful than saying "Thank you"

Hi,

Have you configured ACS policy as per your requirement. I am also stuck in such situation where need to authentication based on Mac addresses store in ACS database and AD authentication. If you have configured these policy, please suggest.

Kamlesh

Hi Tarik,

Thanks for your quick reply.

In my case, I want users to authenticate with login/password of our LDAP server.

But, to enforce security, I would like to check their MAC Address that is stored in our LDAP.

On ACS, I configured LDAP Authentication.

Then I configured a policy rule "RADIUS-IETF:Calling-Station-ID equals LDAP:mac-attribute" and it worked without problem.

I wanted to know if there is another attribute than RADIUS-IETF:Calling-Station-ID which stored the MAC address.

I was not sure that RADIUS-IETF:Calling-Station-ID always means MAC address.

Thanks again,

Patrick