×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

MAC Authentication

Answered Question
Apr 7th, 2006
User Badges:

I am jumping headfirst into ACS and have a question about authenticating clients via MAC address through an AP1200 to ACS4.0.


I have only done Windows IAS before to auth VPN clients, so this is new.


I am reading all the docs I can find and still can't understand how I can enter the MAC address of an allowed station into either the ACS database or the Windows directory.


Also, has anyone ever seen (or written) a simple "how-to" on setting up ACS and an AP?


Thanks

Correct Answer by manish.gaur about 11 years 4 months ago

hii

u need to configure the attribute value pairs if ur going for radius authentication

i am sending u related doc i think this is enough i am also workin on same if need any help most welcome

[email protected]

However, by entering an IP address in place of the CLI you can use the

non-IP-based filter even when the AAA client does not use a Cisco IOS release

that supports CLI or DNIS. In another exception to entering a CLI, you can enter

a MAC address to permit or deny; for example, when you are using a Cisco

Aironet AAA client. Likewise, you could enter the Cisco Aironet AP MAC

address in place of the DNIS. The format of what you specify in the CLI

box—CLI, IP address, or MAC address—must match the format of what you

receive from your AAA client. You can determine this format from your RADIUS

Accounting Log.

Attributes for DNIS/CLI-based restrictions, per protocol, include the following

NAR fields:

• If you are using TACACS+—The NAR fields listed employ the following

values:

– AAA client—The NAS-IP-address is taken from the source address in

the socket between Cisco Secure ACS and the TACACS+ client.

– Port—The port field in the TACACS+ start packet body is used.

– CLI—The rem-addr field in the TACACS+ start packet body is used.

– DNIS—The rem-addr field taken from the TACACS+ start packet body

is used. In cases in which the rem-addr data begins with “/” the DNIS

field contains the rem-addr data without the “/” character.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.8 (5 ratings)
Loading.
darpotter Fri, 04/07/2006 - 12:54
User Badges:
  • Silver, 250 points or more

This is a good starting point:


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801495a1.shtml


..although its mainly about EAP.


To support MAC authentication I think you enter users into the ACS database with the username equal to the mac address. Im not sure what you set the password to - Im guessing that the AP will allow you to preset a hard-coded password. Without a password ACS will not authenticate the session.


Darran

travis-dennis_2 Fri, 04/07/2006 - 14:37
User Badges:
  • Gold, 750 points or more

Don't quote me on this but I seem to recall that you enter the mac address for the password as well to get this type of authentication.

dewmancco Fri, 04/07/2006 - 20:44
User Badges:

OK MaC Authentication breakdown


enter the mac address as the username

ALL lowercase, no spaces or dashes


when you create the user, you enter the MAC address all lowercase,no spaces or dahses, the same format as the username, as the password



You can check the box and use a seperate CHAP / MS bla bla password, then enter a unique pass, This prevents users from doing funny stuff, like use the Mac username and mac pass as a LEAP username/password, or if you use RADIUS for your admin auth, you can log into the device with mac:mac as your username and password. THat if of course, if you dont take the time to set up NARs and the such.







darpotter Tue, 04/11/2006 - 02:21
User Badges:
  • Silver, 250 points or more

Of course the term "MAC Authentication" is totally misleading.


There is no authentication going on here. ACS is just looking up the MAC address to see its in the DB.


Only use this if there is no other choice. Its totally insecure.


You should (at very least) treat your wireless network the same as a remote dial in. Would you let anyone dial into your network without a password?


Darran

ROBERT CROOKS Tue, 04/11/2006 - 04:17
User Badges:

I am considering MAS auth for clients that don't support other methods. From what i've read, there are other ways, but this seems simple enough.


Thanks to everyone for all the help.

gtalps123 Thu, 04/20/2006 - 04:26
User Badges:

I am looking for a similar solution in wired network. The documentation has given a procedure which I did; but it doesn’t work consistently! Some times it authenticates based on the MAC and sometimes it fails. It seems Cisco does not support MAC auth directly. We have to enable 802.1X and first the switch checks for the 802.1X client once it times out, MAC authentication gets triggered. This time out is 2 minutes. If someone can help me on this Please.

Correct Answer
manish.gaur Sat, 04/08/2006 - 00:00
User Badges:

hii

u need to configure the attribute value pairs if ur going for radius authentication

i am sending u related doc i think this is enough i am also workin on same if need any help most welcome

[email protected]

However, by entering an IP address in place of the CLI you can use the

non-IP-based filter even when the AAA client does not use a Cisco IOS release

that supports CLI or DNIS. In another exception to entering a CLI, you can enter

a MAC address to permit or deny; for example, when you are using a Cisco

Aironet AAA client. Likewise, you could enter the Cisco Aironet AP MAC

address in place of the DNIS. The format of what you specify in the CLI

box—CLI, IP address, or MAC address—must match the format of what you

receive from your AAA client. You can determine this format from your RADIUS

Accounting Log.

Attributes for DNIS/CLI-based restrictions, per protocol, include the following

NAR fields:

• If you are using TACACS+—The NAR fields listed employ the following

values:

– AAA client—The NAS-IP-address is taken from the source address in

the socket between Cisco Secure ACS and the TACACS+ client.

– Port—The port field in the TACACS+ start packet body is used.

– CLI—The rem-addr field in the TACACS+ start packet body is used.

– DNIS—The rem-addr field taken from the TACACS+ start packet body

is used. In cases in which the rem-addr data begins with “/” the DNIS

field contains the rem-addr data without the “/” character.


Actions

This Discussion