Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Hall of Fame Super Silver

MAC authentication using Cisco ACS and 350 Access Point

I used this link to help me configure the ACS and the Cisco 350 Access Point.

http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wrsec_an.htm

All I want to do is to only allow certain MAC address to associate with the Access Point. No LEAP or EAP, because there are Spectralink IP phones in the network that does not support dynamic wep.

This is what I did:

Access point-

4.3.1 Configuring MAC authentication only

1. Browse to the AP.

2. From the SUMMARY STATUS page, click on SETUP.

3. In the ASSOCIATIONS box, click on ADDRESS FILTERS.

4. Click the YES radio button to LOOKUP MAC ADDRESS ON AUTHENTICATION SERVER. Refer to Figure 16.

5. Click the NO radio button for IS MAC AUTHENTICATION ALONE SUFFICIENT FOR A CLIENT TO BE FULLY AUTHENTICATED?

6. Click on the AUTHENTICATION SERVER link.

7. Add the ACS for MAC authentication. Configure the SERVER NAME/IP, SERVER TYPE, PORT, SHARED SECRET, and TIMEOUT. Refer to Figure 17.

8. Select the MAC AUTHENTICATION checkbox.

9. Click the OK button. The ADDRESS FILTERS page should reappear.

10. Click the OK button.

11. Browse to the SETUP page.

12. In the NETWORK PORTS box, click on ADVANCED in the AP RADIO section.

13. The AP RADIO ADVANCED page appears. Refer to Figure 18.

14. Determine which authentication type you wish to use MAC authentication with. It is possible to use MAC authentication with LEAP, Open authentication, and Shared-key authentication.

15. For each desired authentication type, select DISALLOWED in the DEFAULT UNICAST ADDRESS FILTER drop down menu.

16. Click on the OK button to finish.

ACS-

3.1 Adding the AP to the ACS server

1. From the ACS main menu click on the NETWORK CONFIGURATION button.

2. Click on the ADD ENTRY button.

3. Configure the DNS name of the AP, the IP address of the AP, the RADIUS shared secret and the Authentication method, as outlined in Figure 1.

4. Make sure to select RADIUS (Cisco Aironet) in the AUTHENTICATE USING drop down menu.

5. To complete, click the SUBMIT+RESTART button.

4.2 Adding a MAC address to the ACS

The ACS can authenticate MAC addresses sent from an AP. A properly configured AP will attempt to authenticate a MAC address using Secure-PAP authentication with the ACS. The MAC addresses are entered into the ACS as users, with the username and password being the MAC address.

1. From the ACS main menu, click on the USER SETUP button.

2. In the USER text box, type the MAC address to add to the user database. Use no dashes, periods, or any other delimiter.

3. At the USER SETUP screen, enter the MAC address in the SECURE-PAP PASSWORD text box. Refer to Figure 15.

4. Select the SEPARATE (CHAP/MS-CHAP) checkbox.

5. Enter a strong password for CHAP/MS-CHAP. This should not match the MAC address.

6. Click the SUBMIT button.

-----------------------------------------------------------------------------------------------------------

I can't get the IP phone to authenticate for some reason. If on the Access Point I slelect OPEN with ALLOWED, the phones accociate with the access point. Am I missing something in the ACS? I configured the ACS port to 1645, which the whitepapers stated. I made sure I used the same shared secret on the AP and ACS. What does this do in the ACS USER SETUP:

4. Select the SEPARATE (CHAP/MS-CHAP) checkbox.

5. Enter a strong password for CHAP/MS-CHAP. This should not match the MAC address.

Any help would be appreciated.......

Thanks!

-Scott
*** Please rate helpful posts ***
1 REPLY
Hall of Fame Super Silver

Re: MAC authentication using Cisco ACS and 350 Access Point

Well this is what I did to make it work....... After creating the users via MAC address, I had to restat the services I created in the ACS (each AP being an access server). Then I had to reboot the AP's. I think this is so inefficient. Is there a way you can go around this.

-Scott
*** Please rate helpful posts ***
1096
Views
0
Helpful
1
Replies
CreatePlease to create content