Solved

802.1x MAC Authentication

Posted on 2014-09-24
14
132 Views
Last Modified: 2015-09-23
I have Cisco ISE. I want to use Cisco ISE for authenticating the PCs, Laptops connecting to the network switches using MAC Address.
If the known devices whose MAC address are available in the ISE should authenticate. Non MAC authenticated devices should be blocked access.
How to configure this in the Cisco ISE....
0
Comment
Question by:SrikantRajeev
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +2
14 Comments
 
LVL 3

Expert Comment

by:Soufiane Adil, Ph.D
ID: 40343015
Hi

All you need to do is follow the steps provided by Cisco in the link below:

Configuring Authentication Policies

Sou
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 40343308
Just wanted to understand with Cisco ISE will I be able to authenticate the end machines via MAC address.
If MAC address is there in the Cisco ISE database then the device needs to authenticate.
If not the device will not be part of the network.
Let me know if this can be achieved.
0
 
LVL 40

Expert Comment

by:noci
ID: 40343363
802.1x is for authenticating MACHINES without depending on changable MAC addresses.

Using 802.1x a machine first talks to the switch authenticates itself using a certificate and if the machine presented data is acceptable the switch opens up the port with a set configuration.(might depend on the data presented).

So there is no MAC address part of the authentication configuration. Most of the time you will need a radius server as well to implement the securing configuration.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:SrikantRajeev
ID: 40343430
My requirement is that I want to authenticate the machines connecting to the LAN via its MAC address.
Each machine will have its own MAC address. I want to create a central database of all the known MAC address. So when the machine 1st connects to the network the PC should be authenticated via the MAC address.


I want to achieve this. Let me know how to do it.
0
 
LVL 40

Expert Comment

by:noci
ID: 40343460
I know each machine has a mac address, problem is those are not cast in concrete. they can be changed on the fly. So i you setup a port to access 10:10:10:10:10:10, I can fix my laptop to use that address., or your laptop... this can be done on the fly.
To catch valid MAC addresses is not too difficult.
802.1x wont do this for you.

There is an option in cisco switches to "authenticate" a port. i.e. allow only one MAC address on a port.
You will need to configure it on every port you have, too much of a hastle and it's a one-one link between a system and a port. This mechanism stems from the 1980's when systems could not change their MAC address. A lot has changed since then.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 40343929
In short, you can use MAB for this via ISE.  It's not 802.1x per-se but it's what you want.

There is already a wired and wireless MAB authorization rule in ISE when it is first installed so all you need to do is add each MAC address to the internal endpoints database.  Job done.  Obviously configure your switches to do 802.1x and MAB.
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 40343979
To set up in ISE it is very easy

Step one import all mac addresses as "internal end points"
Step 2 Assign all the endpoints you create to a identity group.
step 3 Create an Authentication policy that says "if device is tries mac address bypass then use internal endpoints for authentication)
Step 4 Create an authorisation rule that says "if device is in identity group X (group you create above) then permit access.

So device comes on to the network, the network will ask it for 802.1x credentials, if these are not configured it will fail and after a time out the Switch will send the mac address to the ISE server (mac address bypass MAB).

This will then see it and try to match it with a device in its internal endpoint database, it this is successful it will then pass it to the next set of rules to see what to do, in this case permit.

Remember also you have to configure the switch or wireless access point to support MAB.

802.1x is configured on both the switch the device connects to an the ISE server, so the switch must have it enabled on the port and have (in the case of CISCO) the configuration to fall back to MAB if no 802.1x credentials are supplied.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 40344027
Steps 3 and 4 are already done by default in ISE.  You only need to deviate from the defaults if you want to use a customized Authorization rule.

The default Authentication rule says "Wired or Wireless MAB use Internal Endpoints".
The default Authorization rule says "Permit Access".

ISE Default Authentication Rules
ISE Default Authorization Rules
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 40344264
They might not be done by default depending the choices made when installing ISE.

Any while you can rely on the default rule of "permit access" (which is only configures by default like that if you chose the more relaxed restrictions during install), the idea being that you can test policies with out the risk of it crashing every one of the network. The recommended is to have the default as "deny access" with a rule above that permits the devices you want.

I would also have a specifice group for the devices in questions so that you could have policies like

if internal group X - permit on vlan A
if internal group Y - permit on vlan B

By starting of using a strict policy approach means that down the line you wont have to re provision and cause disruption. If you can set up all 4 steps from scratch you will gain a good idea of how to created authentication and authorisation policies and manage multiply devices and provisioning.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 40344267
They might not be done by default depending the choices made when installing ISE.
ISE 1.1 does this EVERY time.  ISE 1.2 installs these rules even if you choose to use the setup wizard (which isn't present in 1.1).
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 40344305
It doesn't, depending on how you run through the set up wizard it will end with either an explicit Permit or Deny statement.

Of course you can change it with a click, but it is not always "Permit"
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 40344552
Hmmm, I have an ISE in front of me right now running 1.2 update 1.  I ran through the setup wizard 3 times to simulate different scenarios and it gave me a PermitAccess Authz rule every time.  The Authc rules disappear if you enforce dot1x, but that's to be expected.

In any case, by default (as I said) the rules are configured to enable MAB.
Steps 3 and 4 are already done by default in ISE.  You only need to deviate from the defaults if you want to use a customized Authorization rule.
That would be achieved by either manually creating rules or by using the setup wizard.
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 40363186
thanks.
I am trying this from my side.
0
 
LVL 1

Author Closing Comment

by:SrikantRajeev
ID: 40992210
Thanks
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
new cisco 3750 switch setup 2 37
Domain administrator account is locked out 31 90
Routing protocols 5 36
Can't "Unset" Proxy in Apache headers for PCI compliance... 4 35
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question