Solved

802.1x MAC Authentication

Posted on 2014-09-24
14
121 Views
Last Modified: 2015-09-23
I have Cisco ISE. I want to use Cisco ISE for authenticating the PCs, Laptops connecting to the network switches using MAC Address.
If the known devices whose MAC address are available in the ISE should authenticate. Non MAC authenticated devices should be blocked access.
How to configure this in the Cisco ISE....
0
Comment
Question by:SrikantRajeev
  • 4
  • 4
  • 3
  • +2
14 Comments
 
LVL 3

Expert Comment

by:Soufiane Adil, Ph.D
ID: 40343015
Hi

All you need to do is follow the steps provided by Cisco in the link below:

Configuring Authentication Policies

Sou
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 40343308
Just wanted to understand with Cisco ISE will I be able to authenticate the end machines via MAC address.
If MAC address is there in the Cisco ISE database then the device needs to authenticate.
If not the device will not be part of the network.
Let me know if this can be achieved.
0
 
LVL 40

Expert Comment

by:noci
ID: 40343363
802.1x is for authenticating MACHINES without depending on changable MAC addresses.

Using 802.1x a machine first talks to the switch authenticates itself using a certificate and if the machine presented data is acceptable the switch opens up the port with a set configuration.(might depend on the data presented).

So there is no MAC address part of the authentication configuration. Most of the time you will need a radius server as well to implement the securing configuration.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 1

Author Comment

by:SrikantRajeev
ID: 40343430
My requirement is that I want to authenticate the machines connecting to the LAN via its MAC address.
Each machine will have its own MAC address. I want to create a central database of all the known MAC address. So when the machine 1st connects to the network the PC should be authenticated via the MAC address.


I want to achieve this. Let me know how to do it.
0
 
LVL 40

Expert Comment

by:noci
ID: 40343460
I know each machine has a mac address, problem is those are not cast in concrete. they can be changed on the fly. So i you setup a port to access 10:10:10:10:10:10, I can fix my laptop to use that address., or your laptop... this can be done on the fly.
To catch valid MAC addresses is not too difficult.
802.1x wont do this for you.

There is an option in cisco switches to "authenticate" a port. i.e. allow only one MAC address on a port.
You will need to configure it on every port you have, too much of a hastle and it's a one-one link between a system and a port. This mechanism stems from the 1980's when systems could not change their MAC address. A lot has changed since then.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40343929
In short, you can use MAB for this via ISE.  It's not 802.1x per-se but it's what you want.

There is already a wired and wireless MAB authorization rule in ISE when it is first installed so all you need to do is add each MAC address to the internal endpoints database.  Job done.  Obviously configure your switches to do 802.1x and MAB.
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 40343979
To set up in ISE it is very easy

Step one import all mac addresses as "internal end points"
Step 2 Assign all the endpoints you create to a identity group.
step 3 Create an Authentication policy that says "if device is tries mac address bypass then use internal endpoints for authentication)
Step 4 Create an authorisation rule that says "if device is in identity group X (group you create above) then permit access.

So device comes on to the network, the network will ask it for 802.1x credentials, if these are not configured it will fail and after a time out the Switch will send the mac address to the ISE server (mac address bypass MAB).

This will then see it and try to match it with a device in its internal endpoint database, it this is successful it will then pass it to the next set of rules to see what to do, in this case permit.

Remember also you have to configure the switch or wireless access point to support MAB.

802.1x is configured on both the switch the device connects to an the ISE server, so the switch must have it enabled on the port and have (in the case of CISCO) the configuration to fall back to MAB if no 802.1x credentials are supplied.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40344027
Steps 3 and 4 are already done by default in ISE.  You only need to deviate from the defaults if you want to use a customized Authorization rule.

The default Authentication rule says "Wired or Wireless MAB use Internal Endpoints".
The default Authorization rule says "Permit Access".

ISE Default Authentication Rules
ISE Default Authorization Rules
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 40344264
They might not be done by default depending the choices made when installing ISE.

Any while you can rely on the default rule of "permit access" (which is only configures by default like that if you chose the more relaxed restrictions during install), the idea being that you can test policies with out the risk of it crashing every one of the network. The recommended is to have the default as "deny access" with a rule above that permits the devices you want.

I would also have a specifice group for the devices in questions so that you could have policies like

if internal group X - permit on vlan A
if internal group Y - permit on vlan B

By starting of using a strict policy approach means that down the line you wont have to re provision and cause disruption. If you can set up all 4 steps from scratch you will gain a good idea of how to created authentication and authorisation policies and manage multiply devices and provisioning.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40344267
They might not be done by default depending the choices made when installing ISE.
ISE 1.1 does this EVERY time.  ISE 1.2 installs these rules even if you choose to use the setup wizard (which isn't present in 1.1).
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 40344305
It doesn't, depending on how you run through the set up wizard it will end with either an explicit Permit or Deny statement.

Of course you can change it with a click, but it is not always "Permit"
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 40344552
Hmmm, I have an ISE in front of me right now running 1.2 update 1.  I ran through the setup wizard 3 times to simulate different scenarios and it gave me a PermitAccess Authz rule every time.  The Authc rules disappear if you enforce dot1x, but that's to be expected.

In any case, by default (as I said) the rules are configured to enable MAB.
Steps 3 and 4 are already done by default in ISE.  You only need to deviate from the defaults if you want to use a customized Authorization rule.
That would be achieved by either manually creating rules or by using the setup wizard.
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 40363186
thanks.
I am trying this from my side.
0
 
LVL 1

Author Closing Comment

by:SrikantRajeev
ID: 40992210
Thanks
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Is your computer hacked? learn how to detect and delete malware in your PC
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question