Cisco Support Community
Community Member

Cisco Secure ACS, Windows 2000 External DB and MAC Auth

I would like to use mac address authentication along with external db authentication (Windows 2000 server db). I can get the PC to auth using LEAP; that works fine. The MAC address part is where I'm faltering. I found a doc on CCO that states to use the MAC address of the PCMCIA card as a user name in the local CS ACS database, and to fail auth under the "Unknown user" option in the external db config. I would think that once the client pc comes up, Cisco Secure sees the request from the mac address, compares it to it's own db, sees it there, then passes the actual Windows username and password along to Windows 2000 to complete the sequence -- but this doesn't happen this way. Instead, it's not even doing the mac address -- it's just failing right off the bat.

Any insight would be appreciated!

Cisco Employee

Re: Cisco Secure ACS, Windows 2000 External DB and MAC Auth

Cisco Secure Access Control Server for Windows NT/2000 Servers (Cisco Secure ACS) can authenticate MAC addresses sent from the access point. The access point works with ACS to authenticate MAC addresses using Secure Password Authentication Protocol (Secure PAP). You enter a list of approved MAC addresses into the ACS as users, using the client devices' MAC addresses as both the username and password. The authentication server's list of allowed MAC addresses can reside on the authentication server or at any network location to which the server has access.

You use lowercase mac address as username and password .

If you are using external database there is test command you can run on ACS to test connectivity between ACS and external DB

Community Member

Re: Cisco Secure ACS, Windows 2000 External DB and MAC Auth

I've actually already followed the steps outlined in this document. What happens is this: I use the mac address of the pcmcia card as the username / password. I then select "fail the attempt" under the "unknown user policy" under the external db section. If I have a dynamically created user in the ACS userlist, I can get in with a card that is in the ACS list AND with a card that is not. So I remove the dynamically created user and I cannot get in at all. The "failed attempts" log states it as "CS Unknown User". If I just use the external db, everything works fine. It's almost like it's not doing mac checking at all. Is there some kind of debug that I could run on acs that might tell me anything? Also, the cards I'm using are older -- they're actually aironet PC4800 cards -- is it possible that mac address auth will not function with these cards? I've updated the drivers with the latest available on CCO (LEAP works fine, etc.). I've got a 802.11a card here but I need to find a machine that it will fit into.

CreatePlease to create content