Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Dual Authentication with MAC and radius server

HI,

 

Can any one clarify whether we can do the MAC address authentication and the Radius server authentication in the Wireless network. In my network i have WLC, ACS and AD server. 

Thanks & Regards,

 

Jayaprakash.K.V 

 

10 REPLIES
Cisco Employee

What do you mean by "Radius

What do you mean by "Radius Server Authentication" ? 

Community Member

I mean the AD authentication.

I mean the AD authentication. 

Cisco Employee

Ah ok :) So yes, you should

Ah ok :) So yes, you should be able to perform your user or machine based authentication against AD and also check the MAC address against the database of your Radius server. I have personally done this with both ISE and ACS. In the WLC you will set your regular 802.1x settings and also check "mac filtering." Then you have to make sure that your Radius servers are configured on the WLC and set to be used by that SSD, otherwise the mac filtering mechanism will use the WCL's local database. 

Hope this helps!

 

Thank you for rating helpful posts!

Community Member

Thank you Neno Spasov.  Will

Thank you Neno Spasov. 

 

Will this work without ISE. Can you please share any relevent document. 

 

Thanks in advance. 

Cisco Employee

What do you plan to use for

What do you plan to use for Radius server?

Community Member

I am using ACS 4.3 and

I am using ACS 4.3 and planning to upgrade to 5.3 now.

Cisco Employee

I haven't done it with ACS

I haven't done it with ACS but it should be similar to ISE:

1. You configure your WLAN settings with the appropriate 802.1x settings. However, in addition, under >Security > Layer 2 > You need to check "Mac Filtering." Then under the AAA servers tab, make sure that your ISE server(s) is listed under both authentication and accounting

2. In ACS, you will need to:

2.1. Create an Identity Store Sequence that includes both AD and Internal Endpoints/hosts

2.2. Create all of the hosts/static MACs under Users and Identity Stores > Internal Identity Stores > Hosts

2.3. Create an Authentication policy that allows MAB (PAP/ASCII > Detec PAP as Host Lookup) and the protocol that you are using for AD authentication (Usually PEAP or EAP-MD5). The policy should be using the previously created Identity Store Sequence that includes both AD and Internal Hosts

2.3. Create an Authorization policy that checks for both the membership of an AD group (For instance, domain computers or domain users) AND for device membership in "Local Hosts"

2.4. Return an "Authorization Profile" with desired permissions

Hope this helps!

 

Thank you for rating helpful posts!

Community Member

Thank a lot  Neno. I will try

Thank a lot  Neno. I will try and update the same.

Cisco Employee

No problem. Btw, a couple of

No problem. Btw, a couple of corrections:

1. The identity store sequence does NOT need to include "internal hosts" I just tested this (ISE only again) and AD only is OK. I believe you need this if you are going to do regular MAB

2. The SSID does not need to have "Mac Filtering" checked. Again, I just tested this in my lab with ISE and can confirm that it is not needed. 

Everything else should be OK :) I would test this with ACS but my lab is not integrated with it yet and I don't currently have time to do it. Maybe later in the week if time allows. Anyways, give it a try and see how far you can get. The nice thing about ACS 5 vs 4 is that you get a lot more log info so troubleshooting is much easier. 

 

Thank you for rating helpful posts!

Cisco Employee

Tips to make Machine

Tips to make Machine Authentication Work - PEAP Authentication

https://supportforums.cisco.com/document/87611/tips-make-machine-authentication-work-peap-authentication

94
Views
0
Helpful
10
Replies
CreatePlease to create content