Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

mac based security managed centrally (Acs or whatever)

I have a project My customer

want to use Mac Address based Security on their whole network.They want only specific mac addressed pc/notebooks can be connected to their network.But they dont want configuration per switch basis.They wan centralized management.

We first looked for ACS.But we realized that ACS supports only Wireless access point for this kind of purpose.I also found that there is a ACS feature called NAR(Network Access Restriction) Can i use this feature?

They don’t want additional integratio n(Active directory or etc.) and don’t install any software to their pc/notebooks.Because of this i cant use EAP solution.

They have app 300 pc’s and they will enter whole mac address list to ACS and only this PC’s will be connect to network.Is it possible ?

Best Regards

3 REPLIES
Silver

Re: mac based security managed centrally (Acs or whatever)

I wouldnt recommend this as a strong security solution, but it could be done - in theory.

Customers devices need to be configured to initiate a PAP authentication using pre-configured credentials (a'la NAC auth bypass).

ACS will have this username+password configured plus a network access restriction that lists the allowed set of macaddrs.

While this may work for 300 users, NARs are not that easily scalable.

New Member

Re: mac based security managed centrally (Acs or whatever)

I have the same requirement, given that the ACS solution above is not going to be scalable enough for my requirements would you suggest I look at deploying NAC using the existing Cisco infrastructure with ACS and installing Cisco Trust Agent on all connected PCs and Notebooks with MAC authentication (switchport security) on any other devices such as printers etc?

New Member

Re: mac based security managed centrally (Acs or whatever)

This will depend if you can get the switch to issue some form of AAA request prior to allowing packets to flow from the newly connected port.

If you can then it should be possible to get ACS to perform some form of MAC authentication.

But the first problem is getting the switch to perform some kind of authetnication using RADIUS or T+.

134
Views
0
Helpful
3
Replies
CreatePlease to create content