Security

Has anyone done this successfully?   We found out that the password sent by Cisco is not matching the username (MAC addr w/o delimiter) and caused MAC auth to break.  Thanks

Do you have Mac filtering enabled under your Layer 2 tab?

Can you post what's in the access tracker?

Forgot to mention, yes it definitely works. Lots of people have this setup working.

Here's the access tracker output:

Error Code: 209

Error Category: Authentication failure

Error Message: No password in request

Alerts for this Request -

   RADIUS: [Endpoints Repository] - localhost: User not found.
MAC-AUTH: Password in request doesn't match username. Not attempting MAC authentication
Cannot select appropriate authentication method

Will need to get sh run from the end user, stay tuned and thank you very much :)

Do you have MAC Filtering enabled on your WLAN > Layer 2 setting?

From CPPM what is the Username of the request in the access tracker. It should be the clients MAC address if the above is enabled.

Have you set a layer 2 security? Try "none" as per the image above.

Cheers

James

Here's the WLAN interface config:

wlan ISE 3 ISE
aaa-override
accounting-list ise-acct
client vlan Wireless-HOME
no exclusionlist
ip access-group web ISE-ACL
ip dhcp required
ip dhcp server 10.180.1.193
mac-filtering ise-mac
nac
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list ise-auth
security web-auth
security web-auth parameter-map ISE-MAP
session-timeout 1800
no shutdown

We have tried both the followings in Cisco to set the username format with no luck

mab request format attribute 1 groupsize 2 separator : lowercase

mab request format attribute 1 groupsize 12 separator : lowercase

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-e/sec-usr-aaa-15-e-book/sec-usr-config-mab-usrname-pwd.html 

What about Radius MAC Delimiter? Default is something other than this..