Security

Reply
Contributor I

CPPM MAC Auth with Cisco 3650 WLC

Has anyone done this successfully?   We found out that the password sent by Cisco is not matching the username (MAC addr w/o delimiter) and caused MAC auth to break.  Thanks

Re: CPPM MAC Auth with Cisco 3650 WLC

Do you have Mac filtering enabled under your Layer 2 tab?

 

Can you post what's in the access tracker?

 

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.

Re: CPPM MAC Auth with Cisco 3650 WLC

Forgot to mention, yes it definitely works. Lots of people have this setup working.

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.

Re: CPPM MAC Auth with Cisco 3650 WLC

Can you please share your switch interface config ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I

Re: CPPM MAC Auth with Cisco 3650 WLC

Here's the access tracker output:

 

Error Code: 209

Error Category: Authentication failure

Error Message: No password in request

Alerts for this Request -

   RADIUS: [Endpoints Repository] - localhost: User not found.\nMAC-AUTH: Password in request doesn't match username. Not attempting MAC authentication\nCannot select appropriate authentication method

 

Will need to get sh run from the end user, stay tuned and thank you very much :)

Re: CPPM MAC Auth with Cisco 3650 WLC

Do you have MAC Filtering enabled on your WLAN > Layer 2 setting?

 

2016-06-01 12_12_05-cisco-wlc.jpg

 

From CPPM what is the Username of the request in the access tracker. It should be the clients MAC address if the above is enabled.

 

Have you set a layer 2 security? Try "none" as per the image above.

 

Cheers

James

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Contributor I

Re: CPPM MAC Auth with Cisco 3650 WLC

Here's the WLAN interface config:

 

wlan ISE 3 ISE
aaa-override
accounting-list ise-acct
client vlan Wireless-HOME
no exclusionlist
ip access-group web ISE-ACL
ip dhcp required
ip dhcp server 10.180.1.193
mac-filtering ise-mac
nac
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list ise-auth
security web-auth
security web-auth parameter-map ISE-MAP
session-timeout 1800
no shutdown

Contributor I

Re: CPPM MAC Auth with Cisco 3650 WLC

We have tried both the followings in Cisco to set the username format with no luck

 

mab request format attribute 1 groupsize 2 separator : lowercase

 

mab request format attribute 1 groupsize 12 separator : lowercase

 

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-e/sec-usr-aaa-15-e-book/sec-usr-config-mab-usrname-pwd.html 

MVP

Re: CPPM MAC Auth with Cisco 3650 WLC

What about Radius MAC Delimiter? Default is something other than this..

 

mac-auth-cisco1.jpg


Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: