Security

we have 3400 controller with 6.1.3.4 version. Oue requirement is to make wifi client to do both MAC authentication and EAP-TLS. However if clients connectes to network he is doing 802.1X authentication and he is connecting to the network. Please advise us how to achieve MAC authentication and 802.1X authentication in same SSID.

Note: This requirement is due to avoid clients to distribute his own certificate to some other laptop. so that even if they have certificate they will not be allowed to connect to network as it has dcifferent MAC address.

---

@yogendrankp wrote:

we have 3400 controller with 6.1.3.4 version. Oue requirement is to make wifi client to do both MAC authentication and EAP-TLS. However if clients connectes to network he is doing 802.1X authentication and he is connecting to the network. Please advise us how to achieve MAC authentication and 802.1X authentication in same SSID.

 

Note: This requirement is due to avoid clients to distribute his own certificate to some other laptop. so that even if they have certificate they will not be allowed to connect to network as it has dcifferent MAC address.

---

In the AAA profile that is used to do 802.1x authentication, you can add a mac authentication profile, as well as a mac authentication server group to force the user device to do mac authentication.

Thank you CJ. 

If a client fails mac authenentication, we dont want the controller to permit him go for dot1x authentication(even if he is capable of getting dot1x auth success,

This user should not connect to network.  is it possible to achieve? 

It is possible.  

Make sure:

- the initial role on the AAA profile is set to a role with a "deny all" acl (that means a device must pass mac and/or 802.1x before sending traffic)

- On the AAA profile make sure allow l2 failthrough is not enabled (if enabled and a device fails mac auth, it allows it to do 802.1x authentication - you don't want that)

- Configure  a mac authentication profile and a mac authentication server group on that AAA profile so that a user is forced to do mac authentication.

CJ thanks for the info....

Even i need a clarificfation on this topic as even i am facing the same issue. Please find the below network details.

1. SSID - WPA2 AES

2. L2 fail through is not enabled

3. MAC profile and MAC server is configured and it is internal DB of the controller.

4. 802.1X authentication profile and server group is mapped and it is external radius server. It is EAP-TLS

5. Initial role is logon role.

with the above configuration i checked that even though if the user MAC address is not in the internal DB he is performing 802.1X auth and it is successful and he is able to connect to network.

Can you please tell me whether MAC authentication will work along with 802.1X auth with the above given network details configured in the controller?

Please note that if the user fails any one of the auth he should not be given access.

Make the initial role a "deny all" role, instead of "logon" and the user should not be able to pass traffic.