Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PEAP with MAC

Hi,

I'd like to know if there is a way to authenticate using a username with PEAP and in addition restrict the access with the station MAC address. Im using 1230 APs with Cisco Secure ACS authenticating with the Ms AD.

Thanks in advanced

3 REPLIES
Cisco Employee

Re: PEAP with MAC

Hii ,

DO you have the unified solution with controllers.

If yes , its very simple - just create a ssid with WPA/WPA2 , on the security page you will find the MAC filter checkbox , just click that.

When both 802.1x and MAC filtering are enabled , first check if for MAC , if the MAC is added to the list , it will go for 802.1x auth cis radius.

Thanks

Vinay

New Member

Re: PEAP with MAC

Thanks Vinay

No, I dont have the unified solution, I have standalone APs (1230) and I'm using PEAP with ACS.

Is there a way to do the same on the standalone APs?

Cisco Employee

Re: PEAP with MAC

Yes , very well possible on autonomous. Just select "Open auth with MAC and EAP" from the ssid page.

for cli here is the sample config (WPA2+Local MAC)

Building configuration...

Current configuration : 2517 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ap

!

enable secret 5 $1$SJ3D$ztXO0VxAG0aOnjCZqVDov.

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa group server radius rad_eap1

server 9.42.24.53 auth-port 1645 acct-port 1646

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authentication login eap_methods1 group rad_eap1

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

!

!

dot11 syslog

!

dot11 ssid vinay-test

authentication open mac-address mac_methods eap eap_methods1

authentication network-eap eap_methods1 mac-address mac_methods

authentication key-management wpa version 2

!

!

!

username Cisco password 7 123A0C041104

username 001d7e032db3 password 7 1159495413450E5C57782F267B

username 001d7e032db3 autocommand exit

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

shutdown

!

encryption mode ciphers aes-ccm

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio1

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid vinay-test

!

dfs band 3 block

channel dfs

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address dhcp client-id FastEthernet0

no ip route-cache

!

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

radius-server attribute 32 include-in-access-req format %h

radius-server host 9.42.24.53 auth-port 1645 acct-port 1646 key 7 01000307490E12

radius-server vsa send accounting

bridge 1 route ip

!

279
Views
0
Helpful
3
Replies
CreatePlease login to create content