Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

[ACS 5.4] Retrieve MAC Address (to use in policy)

Hi,

I want to authenticate WLC clients and compare their MAC address with LDAP attributes.

We stored MAC address for each user in our LDAP server.

I have to retrieve MAC address stored by ACS in policy rules to compare with LDAP value.

The only attribute containing the MAC address I found is "Calling-Station-ID" in "RADIUS-IETF" dictionary.

I dont know if this attribute will always be the MAC address...

Is it possible to retrieve an attribute "MAC address"?

Thanks for your help,

Patrick

1 ACCEPTED SOLUTION

Accepted Solutions

[ACS 5.4] Retrieve MAC Address (to use in policy)

if you are using 802.1x or mac filtering, the device username is used as the mac address, or the calling-station-id, the time you will not see the mac address is when you are doing local web auth with external authentication to ACS. Also for vpn users you see this and also in auth-proxy conditions.

For WLC and dot1x mac address is always used for the calling-station-id.

Hope this helps.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
8 REPLIES

[ACS 5.4] Retrieve MAC Address (to use in policy)

if you are using 802.1x or mac filtering, the device username is used as the mac address, or the calling-station-id, the time you will not see the mac address is when you are doing local web auth with external authentication to ACS. Also for vpn users you see this and also in auth-proxy conditions.

For WLC and dot1x mac address is always used for the calling-station-id.

Hope this helps.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

[ACS 5.4] Retrieve MAC Address (to use in policy)

Tarik - I did not understand this:

"the device username is used as the mac address"

what do you exactly mean?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

[ACS 5.4] Retrieve MAC Address (to use in policy)

I was referring to the mac-filtering operation and how the wlc will send the mac address as the username and password to the radius server. I was referring to the device as the WLC and not the client which lead to the confusion on my end.

Thanks for bringing this up for clarification.

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

[ACS 5.4] Retrieve MAC Address (to use in policy)

Thanks Tarik for clarification.

But I am a bit confused now.

You said that the device mac address is used instead the username, and you mean the WLC when you say the device? am I understanding correctly?

or (what I think you mean is) the WLC sends the user's request and put the user's mac address instead of the username when it sends the request to the ACS. right?

one question on the side, how will it behave if you have both 802.1x (with EAP) and MAC filter both configured under the SSID of the WLC?

Thanks.

Amjad

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"

[ACS 5.4] Retrieve MAC Address (to use in policy)

or (what I think you mean is) the WLC sends the user's request and put  the user's mac address instead of the username when it sends the request  to the ACS. right?

That is correct

one question on the side, how will it behave if you have both 802.1x  (with EAP) and MAC filter both configured under the SSID of the WLC?

I have not tested the EAP portion but this is documented to be an "AND" scenario where both should succeed in order for access to be granted. i have tested this where PSK will work in conjuction with mac-filtering.

I know in my experience when I leverage Radius NAC (for ISE deployments), I can only use mac-filtering and not any other form of PSK or EAP with mac-filtering, i dont know if this has changed since I tested this on the 7.4 release.

thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*

[ACS 5.4] Retrieve MAC Address (to use in policy)

Well,

The point is, if you'd like to choose 802.1x with MAC filtering with ACS 5.x for example, there will be only one policy that will match the request; either 802.1x or MAC, but not both.

This is the challenging point.

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
New Member

Hi,Have you configured ACS

Hi,

Have you configured ACS policy as per your requirement. I am also stuck in such situation where need to authentication based on Mac addresses store in ACS database and AD authentication. If you have configured these policy, please suggest.

 

Kamlesh

New Member

[ACS 5.4] Retrieve MAC Address (to use in policy)

Hi Tarik,

Thanks for your quick reply.

In my case, I want users to authenticate with login/password of our LDAP server.

But, to enforce security, I would like to check their MAC Address that is stored in our LDAP.

On ACS, I configured LDAP Authentication.

Then I configured a policy rule "RADIUS-IETF:Calling-Station-ID equals LDAP:mac-attribute" and it worked without problem.

I wanted to know if there is another attribute than RADIUS-IETF:Calling-Station-ID which stored the MAC address.

I was not sure that RADIUS-IETF:Calling-Station-ID always means MAC address.

Thanks again,

Patrick

732
Views
0
Helpful
8
Replies
CreatePlease login to create content