Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 5.3 Authorization of user based on MAC address

Hi all,

hopefully someone can help me further.

A short background. Our corporate SSID is being migrated from using PEAPv0 to EAP-TLS. This restricts access only to company notebooks. Additionally we have barcode scanners which are used to inventory assets. Those devices are not able to use EAP-TLS as they cannot be integrated in the domain and being unable to do certificate based authentication.

As a workaround we planned to use another SSID with access to the same network but using PEAPv0 as authentication method, basically the same SSID but with a different name. As this naturally allows anyone to access the corporate network with a valid username/password I now wanted to add another step into the authentication process - the MAC of the device.

I know I can do the filtering at the WLAN controller, but as it has a limited database as well as the fact that it is cumbersome to maintain the MAC list on all the controllers I thought I can do it over our ACS system.

I am now trying to accomplish the following:

The user gets authenticated via the internal user store, which is succesful. Now I want to authorize the user via the MAC address, which is stored in the internal host store of the ACS, if access is granted or not.

For this I created the following policy:

Service Selection Policy -- (Rule based result selection)

-- (NDG:Device Type in All Device Types:Wireless And RADIUS-IETF:Called-Station-ID contains <SSID>) | Result: PEAP access

-- Default | Result: DenyAccess

Service PEAP access

Identity: Internal Users -- (Single result selection)

Authorization -- (Rule based result selection)

-- Internal Hosts:HostIdentityGroup in All Groups:Valid_MACs

When I then try to access the wireless network I won't get authenticated. The error I get, when I look into the logs is:

15039 Selected Authorization Profile is DenyAccess

Is it not possible to use one identity store as "attribute database" for the other identity store?


Regards,

Patrick

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

ACS 5.3 Authorization of user based on MAC address

For this can use an end station filter

define at Policy Elements > Session Conditions > Network Conditions > End Station Filters

Can define a list of MAC addresses; can be imported and exported from a file

To include in authoirzation policy; customize the authorization policy to include the "End Station Filter" condition and then select the defined End Station Filter object that you have just defined

5 REPLIES

ACS 5.3 Authorization of user based on MAC address

Patrick,

When performing peap authentication the acs by default will look in the internal user store. You can try to configure your identity sequcence to use internal but set the additional attribute selection for the internal hosts db.

An easier approach you can try is to create a condition in your peap rule to check the calling station id, which is the mac oui of the barcode scanner.

If the mac oui for the bar code scanner is 00-00-00, then set you conditon to begins with and then test.

Similar to your called station check for the ssid.

Thanks,

Tarik Admani *Please rate helpful posts*
New Member

ACS 5.3 Authorization of user based on MAC address

Hi Tarik

You can try to configure your identity sequcence to use internal but set the additional attribute selection for the internal hosts db.

I tried that already, it did not work. I got the same error.

An easier approach you can try is to create a condition in your peap rule to check the calling station id, which is the mac oui of the barcode scanner.

If the mac oui for the bar code scanner is 00-00-00, then set you conditon to begins with and then test.

I tried this approach and it even worked, but it is not scalable. I am not a fan of wildcard filters for MACs, I want to use absolute values, that's why.

We have many scanners and I did not find a way to import rules similiar to the import of MAC addresses via CSV nor does it allow for simple mistakes with logical operators. If you try to remove an operator all conditions within are deleted as well.

Also when I tried to set the calling station id filter from static to dynamic the only attribute I can use of the internal hosts dictionary is HostIdentityGroup which is not an identity group per se but actually contains them.

Is there no other way?

Regards,

Patrick

Gold

ACS 5.3 Authorization of user based on MAC address

For this can use an end station filter

define at Policy Elements > Session Conditions > Network Conditions > End Station Filters

Can define a list of MAC addresses; can be imported and exported from a file

To include in authoirzation policy; customize the authorization policy to include the "End Station Filter" condition and then select the defined End Station Filter object that you have just defined

New Member

ACS 5.3 Authorization of user based on MAC address

That did it! Thanks!

Regards,

Patrick

New Member

ACS 5.3 Authorization of user based on MAC address

One more question.

Is there a similiar option for the ISE?

I can't find one.

Regards,

Patrick

1898
Views
0
Helpful
5
Replies
CreatePlease to create content