Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
15
Helpful
7
Replies

MAC Authentication

Go to solution
ROBERT CROOKS
Level 1
Level 1

‎04-07-2006 12:16 PM - edited ‎03-10-2019 02:32 PM

I am jumping headfirst into ACS and have a question about authenticating clients via MAC address through an AP1200 to ACS4.0.

I have only done Windows IAS before to auth VPN clients, so this is new.

I am reading all the docs I can find and still can't understand how I can enter the MAC address of an allowed station into either the ACS database or the Windows directory.

Also, has anyone ever seen (or written) a simple "how-to" on setting up ACS and an AP?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
manish.gaur
Level 1
Level 1

‎04-08-2006 12:00 AM

hii

u need to configure the attribute value pairs if ur going for radius authentication

i am sending u related doc i think this is enough i am also workin on same if need any help most welcome

gaurmanish@yahoo.com

However, by entering an IP address in place of the CLI you can use the

non-IP-based filter even when the AAA client does not use a Cisco IOS release

that supports CLI or DNIS. In another exception to entering a CLI, you can enter

a MAC address to permit or deny; for example, when you are using a Cisco

Aironet AAA client. Likewise, you could enter the Cisco Aironet AP MAC

address in place of the DNIS. The format of what you specify in the CLI

box—CLI, IP address, or MAC address—must match the format of what you

receive from your AAA client. You can determine this format from your RADIUS

Accounting Log.

Attributes for DNIS/CLI-based restrictions, per protocol, include the following

NAR fields:

• If you are using TACACS+—The NAR fields listed employ the following

values:

– AAA client—The NAS-IP-address is taken from the source address in

the socket between Cisco Secure ACS and the TACACS+ client.

– Port—The port field in the TACACS+ start packet body is used.

– CLI—The rem-addr field in the TACACS+ start packet body is used.

– DNIS—The rem-addr field taken from the TACACS+ start packet body

is used. In cases in which the rem-addr data begins with “/” the DNIS

field contains the rem-addr data without the “/” character.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
darpotter
Level 5
Level 5

‎04-07-2006 12:54 PM

This is a good starting point:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801495a1.shtml

..although its mainly about EAP.

To support MAC authentication I think you enter users into the ACS database with the username equal to the mac address. Im not sure what you set the password to - Im guessing that the AP will allow you to preset a hard-coded password. Without a password ACS will not authenticate the session.

Darran

Go to solution
travis-dennis_2
Level 7
Level 7
In response to darpotter

‎04-07-2006 02:37 PM

Don't quote me on this but I seem to recall that you enter the mac address for the password as well to get this type of authentication.

Go to solution
dewmancco
Level 1
Level 1
In response to travis-dennis_2

‎04-07-2006 08:44 PM

OK MaC Authentication breakdown

enter the mac address as the username

ALL lowercase, no spaces or dashes

when you create the user, you enter the MAC address all lowercase,no spaces or dahses, the same format as the username, as the password

You can check the box and use a seperate CHAP / MS bla bla password, then enter a unique pass, This prevents users from doing funny stuff, like use the Mac username and mac pass as a LEAP username/password, or if you use RADIUS for your admin auth, you can log into the device with mac:mac as your username and password. THat if of course, if you dont take the time to set up NARs and the such.

0 Helpful

Go to solution
darpotter
Level 5
Level 5
In response to dewmancco

‎04-11-2006 02:21 AM

Of course the term "MAC Authentication" is totally misleading.

There is no authentication going on here. ACS is just looking up the MAC address to see its in the DB.

Only use this if there is no other choice. Its totally insecure.

You should (at very least) treat your wireless network the same as a remote dial in. Would you let anyone dial into your network without a password?

Darran

Go to solution
ROBERT CROOKS
Level 1
Level 1
In response to darpotter

‎04-11-2006 04:17 AM

I am considering MAS auth for clients that don't support other methods. From what i've read, there are other ways, but this seems simple enough.

Thanks to everyone for all the help.

0 Helpful

Go to solution
gtalps123
Level 1
Level 1
In response to darpotter

‎04-20-2006 04:26 AM

I am looking for a similar solution in wired network. The documentation has given a procedure which I did; but it doesn’t work consistently! Some times it authenticates based on the MAC and sometimes it fails. It seems Cisco does not support MAC auth directly. We have to enable 802.1X and first the switch checks for the 802.1X client once it times out, MAC authentication gets triggered. This time out is 2 minutes. If someone can help me on this Please.

0 Helpful

Go to solution
manish.gaur
Level 1
Level 1

‎04-08-2006 12:00 AM

hii

u need to configure the attribute value pairs if ur going for radius authentication

i am sending u related doc i think this is enough i am also workin on same if need any help most welcome

gaurmanish@yahoo.com

However, by entering an IP address in place of the CLI you can use the

non-IP-based filter even when the AAA client does not use a Cisco IOS release

that supports CLI or DNIS. In another exception to entering a CLI, you can enter

a MAC address to permit or deny; for example, when you are using a Cisco

Aironet AAA client. Likewise, you could enter the Cisco Aironet AP MAC

address in place of the DNIS. The format of what you specify in the CLI

box—CLI, IP address, or MAC address—must match the format of what you

receive from your AAA client. You can determine this format from your RADIUS

Accounting Log.

Attributes for DNIS/CLI-based restrictions, per protocol, include the following

NAR fields:

• If you are using TACACS+—The NAR fields listed employ the following

values:

– AAA client—The NAS-IP-address is taken from the source address in

the socket between Cisco Secure ACS and the TACACS+ client.

– Port—The port field in the TACACS+ start packet body is used.

– CLI—The rem-addr field in the TACACS+ start packet body is used.

– DNIS—The rem-addr field taken from the TACACS+ start packet body

is used. In cases in which the rem-addr data begins with “/” the DNIS

field contains the rem-addr data without the “/” character.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents