Nowadays, people have smartphones, typically iPhones and Android phones, and they all have WiFi.
We already have a wireless net set up, with 802.1x security, where people connect using certificates and user informations stored in AD
I would like to see the smartphones use the same SSID as the computers, using the owners user info from AD.
But I think user info from AD only is too weak (since I cannot use certificate enrollment on the phones), so I would like to add the smartphone's mac address to the internal hosts database, too, so I have 2 layers of security:
If smartphone mac exists in internal hosts, then authenticate it with AD information.
Is this possible? If so, then how?
When I try this, I only get the message that the user credentials does not exist in Internal users, and then it fails.
If you are using Cisco WLC for managing your wireless infrastructure this is possible.. You can implement whats called mac filtering ( somewhat equivalent to MAB on switches ) along with an additional layer of authentication with creds. You can chose to populate these mac addresses on ACS and have ACS point to AD for extra creds checking. You are better off posting the same Q on the wireless forum just to get additional details around it such as what version of controller started supporting it etc.
Hi, and thanks for answering.
If you are using Cisco WLC for managing your wireless infrastructure this is possible.. You can implement whats called mac filtering ( somewhat equivalent to MAB on switches )
We are leaving Cisco WLC for Aerohive, so that is not really an option.
You can chose to populate these mac addresses on ACS and have ACS point to AD for extra creds checking. You are better off posting the same Q on the wireless forum just to get additional details around it such as what version of controller started supporting it etc.
See, here you touch into the problem I have; I'm not able to get the phones to first ask the MAB database, and THEN AD.
When I try to set up this, the phones goes to the local USERS database, and checks username/password. But I want the phone to be checked against the local HOSTS database, and then the username / password against AD.
I was able to get ACS to authorize with both AD credentials and MAB using the end station filters. Add end station filters to your access policies authorization and AD to your access policy identify. We have a large amount of iPhone and iPad users in our healthcare enviroment and they are able to use their AD credentials and based on the mac of the device, ACS will determine which vlan it's supposed to be on.
Hi, and thank you for your answer.
But I'm not able to get this working.
I have done what you said, but I get the same result: none of the rules in the policy matches.
Can you provide pictures or something?
The only thing that works for me, is if I match the mac-address on the device manually, like this:
(AD-AD1:ExternalGroups contains any admin.testdomain.lan/Builtin/Users And RADIUS-IETF:Calling-Station-ID equals 00-25-00-80-7C-3F)
And i wonder: What is the difference between nodes listed in end station filters and nodes listet in internal hosts?
I could not get it to work with the RADIUS attributes and AD together. I've attached some screenshot on setting it up with the End Station Filters. After you get it set up, you can use the template and just upload new MAC addresses into it.
Hello again, and sorry for the late answer.
I have done as you've shown me, but it still does not work.
But as you can see from the attached picture, when I try to add an end station, its MAC address is always shifted over to the Destination MAC.
I dont' know why, I write down the mac address into the end stadion, but when I press submit, I find it on the Destination side.
Smells like a bug to me... or what?
When adding mac addresses, are you making sure the end station mac check box is checked?
If so, are your patches up to date? If they are, it could be a bug. I'll check the old tac cases and see.
Yes, I'm sure.
I'm posting a series of pictures that can show you that this most probably is a bug
I am using v184.108.40.206.1, btw.
First End Station:
First End Station before submitted:
First End Station after submitted:
Second End Station:
Second End Station before submitted:
Second End Station after submitted:
Third End Station:
Third End Station before submitted:
Third End Station after submitted:
You see, there are some strange things going on in there. TAC next, I guess.
Did you get any resolution from TAC? I haven't seen the need yet to update to 5.2 and am awaiting 5.3 to hopefully fix the max-sessions issue.
Yes, I did get an answer just the other day.
They said it was in fact a know bug, and it will be fixed in v5.3:
CSCtk16271 ACS5: CLI DNIS values switch columns when Submit is clicked
When entering CLI and DNIS values under the end station filters if you enter a DNIS value it will switch to CLI when you hit submit, if you enter a CLI value it will switch to DNIS when you hit submit.
If you go back into the end station filter and his submit without making any changes all the values will be set to CLI, if you go back in again and hit submit without making any changes all the values will switch to DNIS.
Enter all your end station MAC values as Destination MAC and all your Destination MAC values as end station MAC before hitting submit.
Thanks a lot, I also experienced the same issue with the End Station always being sent to Destination Station !
Can you please post the bug number because I cannot see its description in your previous post. In particular, I would like to see if there is any workaround for that issue.
Thanks a lot,
There is a similar bug: CSCtk16271: ACS5: CLI DNIS values switch columns when Submit is clicked
This is fixed in patch: 220.127.116.11.5