Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

User + Mac Address Authorization Policy

 

Hi,

 

Is there any option to bind a user who is authorized correctly from external identity with the mac-address of his workstation ?

The point is to give him access to the network only from a specific Workstation and denied him from any other workstation.

 

Thanks

6 REPLIES
Cisco Employee

Couple of questions:1. What

Couple of questions:

1. What type of Radius server are you using?

2. When do you want the "binding" to happen? During the authorization process or do you want to manually specify the mac address for every single user?

3. What type of authentication are you using? PEAP, EAP-TLS, etc?

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
New Member

  1.  ISE 1.2 is having the

 

 1.  ISE 1.2 is having the role of Radius

 2. Really i don't know I guess the binding should be happen before the login as i don't want the user to login from any other PC.

     The key point on this scenario is a user to login on the corporate wired network only from his PC (User+MAC) and denied from any other PC.

If you want describe me both ways to understand which might fit in my case. 

 3. The PC has the native supplicant of Windows and authenticated through PEAP MS CHAPv2

 

Thanks in advance

 

New Member

is the user authentication

is the user authentication referencing  AD?

New Member

Hello,Yes!!! I will agree

Hello,

Yes!!! I will agree that mac is an easy way of spoofing. but i' m trying to find my options on this scenario.

The group will consist of 2 users that will be part of my domain. (probably on these specific users I should deploy MAR)??

But another one that will work with team will be external support and he will be coming with his laptop.

 

Thanks

Cisco Employee

MAR is also not ideal as it

MAR is also not ideal as it comes with tons of limitations :) In addition, it also uses the MAC address of the machine as the username which is sent in plain text :) So I would not recommend MAR. 

Why don't you try PEAP machine based authentication? This will allow only domain joined (corporate owned) computers to authenticate. If the computer is not part of the domain, authentication will fail. 

 

Thank you for rating helpful posts! 

Thank you for rating helpful posts!
Cisco Employee

I have never been a fan of

I have never been a fan of trying to lock down things via mac addresses since mac addresses can be easily spoofed. 

If you are already using PEAP and if your machines are part of AD then an easier and more secure solution would be to use "Machine (PEAP)" based authentication. That way ISE will consult with AD and confirm that the authenticating machine is both joined to the domain and enabled.

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
47
Views
0
Helpful
6
Replies