Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Frequent Contributor I
Posts: 248
Registered: ‎09-14-2011
Next Question ;-) MAC auth for hardwired clients?

Has anyone done this? Or, does someone know how to configure this up for hardwired clients and could enlighten me? Preferably using the user derivation rules if possible...

 

As always, thanks to anyone who responds!

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Contributor II
Posts: 146
Registered: ‎05-12-2010
Re: Next Question ;-) MAC auth for hardwired clients?
Attempting email reply.

We do MAC auth & 802.1X on Cisco switch ports. We do not (yet) do RADIUS CoA

By default the switch will try 802.1X & then MAC auth. Since the 802.1X timeout is so long, we use the following port configuration.

authentication order mab dot1x
authentication priority dot1x mab
​​​​​
This tells the switfch to try MAC auth first, but switch to 802.X if it receives an EAP packet.


Bruce Osborne
Wireless Engineer
IT Network Services - Wireless

(434) 592-4229

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Training Champions for Christ since 1971
Bruce Osborne - Wireless Engineer
ACCP, ACMP
Guru Elite
Posts: 8,628
Registered: ‎09-08-2010
Re: Next Question ;-) MAC auth for hardwired clients?
So you want to manually register non-1X capable devices? Is this with ClearPass?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 248
Registered: ‎09-14-2011
Re: Next Question ;-) MAC auth for hardwired clients?

cappalli wrote:
So you want to manually register non-1X capable devices? Is this with ClearPass?

@cappalli - yes, exactly, and controller only, no clearpass. If this were a clearpass set up I would do it differently as I would have a lot more options.

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Contributor II
Posts: 146
Registered: ‎05-12-2010
Re: Next Question ;-) MAC auth for hardwired clients?

We use ClearPass & register the mac auth devices as Known Endpoints.

 

We also associate a username to the device so we can monitor Internet usage per user.

Bruce Osborne - Wireless Engineer
ACCP, ACMP
Contributor II
Posts: 146
Registered: ‎05-12-2010
Re: Next Question ;-) MAC auth for hardwired clients?
What system/database are you going to use for registration?

​​​​​

Bruce Osborne
Wireless Engineer
IT Network Services - Wireless
Bruce Osborne - Wireless Engineer
ACCP, ACMP
Frequent Contributor I
Posts: 248
Registered: ‎09-14-2011
Re: Next Question ;-) MAC auth for hardwired clients?

bosborne@liberty.edu wrote:
What system/database are you going to use for registration?

​​​​​

Bruce Osborne
Wireless Engineer
IT Network Services - Wireless

@bosborne - the end devices are not capable of any other sort of authentication, they are online, they have a mac address and an ip address, i need to secure them. If this were a ClearPass environment, I would add the devices as known endpoints and go that route but this is not such an environment. This is a controller only network and I was thinking about using the user derivation rules for mac lists.

 

The wireless side, no worries, done. Hard line side though, got three VLANs coming in, say VLAN 100, 200 & 300. The devices on these VLANs are not capable of authentication on their own, hence looking at MAC authentication. I was thinking about the user derivation rules as then I could create static mac lists for each VLAN. (also, not talking about hundreds of devices per VLAN, maybe 20 to 30). 

 

Anyway, I need them to authenticate somehow so that I can put them in a role and then manipulate as per normal (inter-vlan routing, session firewall ACLs, etc...) Make sense?

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Contributor II
Posts: 146
Registered: ‎05-12-2010
Re: Next Question ;-) MAC auth for hardwired clients?
Yeah. The switch does mac auth due to the “dumb” client. I believe the switch needs an authentication server to perform the lookup, though.

You mention a controller. Are you connecting these devices directly to the controller? I am confused about the architecture here.
​​​​​

Bruce Osborne
Wireless Engineer
IT Network Services – Wireless

Liberty University

Training Champions for Christ since 1971
Bruce Osborne - Wireless Engineer
ACCP, ACMP
Frequent Contributor I
Posts: 248
Registered: ‎09-14-2011
Re: Next Question ;-) MAC auth for hardwired clients?

bosborne@liberty.edu wrote:
Yeah. The switch does mac auth due to the “dumb” client. I believe the switch needs an authentication server to perform the lookup, though.

You mention a controller. Are you connecting these devices directly to the controller? I am confused about the architecture here.
​​​​​

Bruce Osborne
Wireless Engineer
IT Network Services – Wireless

Liberty University

Training Champions for Christ since 1971

Maybe this will help!

 

testing topology.PNG

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Frequent Contributor I
Posts: 248
Registered: ‎09-14-2011
Re: Next Question ;-) MAC auth for hardwired clients?

So is the diagram I posted possible? Could it be made to work? Would I need a Mobility Access Switch? 

Or am I trying to do something the controller is just not capable of. That's what I need to figure out.

 

I need a drink...

 

;-)

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Search Airheads
Showing results for 
Search instead for 
Did you mean: