Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1117
Views
0
Helpful
9
Replies

MAC Authentication config guaranteed to work

gilmo
Level 1
Level 1

‎08-06-2003 11:15 AM - edited ‎07-04-2021 08:55 AM

The config file below is guaranteed to work.

I have an ACS 3.0 server doing the MAC Authentication. So you have to take the MAC address that you want to allow, throw the MAC in the user name and password fields in the ACS and just load the AP with config below and CHANGE the IP to yours or it will not work.

Please leave your comments, if this becomes popular I will start publishing different configs such as LEAP+MAC, LOCAL SERVER, WDS, HOT STANDBY, etc...

By the way at the time of this message my AP1230 had 12.2(11) JA and my 350 Client had 5.20.17 So take the time to update the firmware.

God bless America and Good luck!

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname GOM_1200IOS

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.1.2.197 auth-port 1812 acct-port 1812

!

aaa group server radius rad_mac

server 10.1.2.197 auth-port 1812 acct-port 1812

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius wlccp_rad_infra

!

aaa group server radius wlccp_rad_eap

!

aaa group server radius wlccp_rad_leap

!

aaa group server radius wlccp_rad_mac

!

aaa group server radius wlccp_rad_any

!

aaa group server radius wlccp_rad_acct

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods group rad_mac

aaa authentication login wlccp_infra group wlccp_rad_infra

aaa authentication login wlccp_eap_client group wlccp_rad_eap

aaa authentication login wlccp_leap_client group wlccp_rad_leap

aaa authentication login wlccp_mac_client group wlccp_rad_mac

aaa authentication login wlccp_any_client group wlccp_rad_any

aaa authorization exec default local

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods start-stop group rad_acct

aaa accounting network wlccp_acct_client start-stop group wlccp_rad_acct

aaa session-id common

enable secret 5xxxxx

!

username xxxx password xxxxx

ip subnet-zero

!

iapp standby timeout 5

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption key 1 size 40bit xxxxx transmit-key

!

ssid GOM_1230

authentication open mac-address mac_methods

!

speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

rts threshold 2312

channel 2462

station-role root

no cdp enable

dot1x reauth-period server

dot1x client-timeout 600

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

no cdp enable

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address xxx.xxx.220.45 255.255.255.0

no ip route-cache

!

ip default-gateway 10.250.220.254

ip http server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100

ip radius source-interface BVI1

no cdp run

snmp-server community GOM_AP1230 RO

snmp-server enable traps tty

radius-server local

group AP1230

!

user xxxxx nthash 7 xxxxx group AP1230

!

radius-server host 10.1.2.197 auth-port 1812 acct-port 1812 key 7 01342929

radius-server retransmit 3

radius-server attribute 32 include-in-access-req format %h

radius-server authorization permit missing Service-Type

radius-server vsa send accounting

bridge 1 route ip

!

!

line con 0

line vty 5 15

!

end

Labels:
0 Helpful
9 Replies 9

knightda
Level 1
Level 1

‎08-08-2003 11:00 AM

Where in the world did you find out that the MAC was also the password? I've been beating my head against the wall for 2 days trying to get that to work with Microsoft IAS........Thanks!

0 Helpful

chandlerbr
Level 1
Level 1
In response to knightda

‎08-13-2004 05:18 AM

You can refer to this document. (CISCO AIRONET 1200 SERIES - Security Setup) Look at the "Setting Up MAC-Based Authentication" section.

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a008010f63d.html

The screen shots are from the old VxWorks interface but the ACS setup applies.

Bobby C.

0 Helpful

ken.jones
Level 1
Level 1
In response to knightda

‎08-15-2004 09:42 PM

Yes I also went thru the same process recently with Cisco ACS and the AP configuration.

You cannot find detailed documentation on any of the AP1100 or AP1200 configuration.. You must look at the AP350 configuration notes, and here it is all spelled out (for configuration of the ACS).. Should be similar for other "Radius" servers. Use the MAC Address as PW and UserID... (For ACS you have to turn off one of the security settings as it typically disallows this.)

Pls also refer to the following for the AP1200 AAA/Radius MAC authentication with Radius server..

aaa group server radius SG_rad_mac

server aa.bb.cc.dd auth-port 1645 acct-port 1646

aaa authentication login sg_mac_methods group SG_rad_mac

int dot11radio0

ssid ABC

vlan xxx

authentication open mac-address sg_mac_methods alternate eap sg_eap_methods

authentication network-eap sg_eap_methods

May the Force be with you.

Regards

Ken Jones

0 Helpful

dewman03
Level 1
Level 1
In response to ken.jones

‎08-18-2004 03:40 PM

Also note that I found a small tidbit of information

burried in Cisco doc's that says when you enter a MAC Address in ACS or any user database, to enter the letters of the MAC as lowercase.

Dont know why, just seemes to works best this way

0 Helpful

lunestadr
Level 1
Level 1
In response to dewman03

‎08-31-2004 12:01 AM

Is there a special syntax for writing the MAC Address ?

should I put in dots or dashes ? e.g. aa-aa-aa-aa-aa-aa or aaaa.aaaa.aaaa

0 Helpful

gilmo
Level 1
Level 1
In response to lunestadr

‎08-31-2004 04:50 AM

dots should work!

0 Helpful

scottosan
Level 1
Level 1

‎09-14-2004 04:58 AM

I though the proper way to to do MAC authentication was to use ACL's with ACS? I haven't done alot of research, but am going to have to do this as soon as I get my ACS from the vendor. If you use a username and password of the mac address, what keeps someone from spoofing the username and password?

Thanks

0 Helpful

gilmo
Level 1
Level 1
In response to scottosan

‎09-14-2004 10:06 AM

Hello there,

Under ACS, you still need to create a user with password as you normally do and then create another user using the MAC address for name and pswd.

The Client has to authenticate with user name, pswd and MAC.

If they spoof the MAC the still need to know user name and pswd.

Regards,

Gil

0 Helpful

scottosan
Level 1
Level 1
In response to gilmo

‎09-14-2004 10:28 AM

thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card