Solved

802.1x MAC Authentication

Posted on 2014-09-24
14
111 Views
Last Modified: 2015-09-23
I have Cisco ISE. I want to use Cisco ISE for authenticating the PCs, Laptops connecting to the network switches using MAC Address.
If the known devices whose MAC address are available in the ISE should authenticate. Non MAC authenticated devices should be blocked access.
How to configure this in the Cisco ISE....
0
Comment
Question by:SrikantRajeev
  • 4
  • 4
  • 3
  • +2
14 Comments
 
LVL 3

Expert Comment

by:Soufiane Adil, Ph.D
ID: 40343015
Hi

All you need to do is follow the steps provided by Cisco in the link below:

Configuring Authentication Policies

Sou
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 40343308
Just wanted to understand with Cisco ISE will I be able to authenticate the end machines via MAC address.
If MAC address is there in the Cisco ISE database then the device needs to authenticate.
If not the device will not be part of the network.
Let me know if this can be achieved.
0
 
LVL 40

Expert Comment

by:noci
ID: 40343363
802.1x is for authenticating MACHINES without depending on changable MAC addresses.

Using 802.1x a machine first talks to the switch authenticates itself using a certificate and if the machine presented data is acceptable the switch opens up the port with a set configuration.(might depend on the data presented).

So there is no MAC address part of the authentication configuration. Most of the time you will need a radius server as well to implement the securing configuration.
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 1

Author Comment

by:SrikantRajeev
ID: 40343430
My requirement is that I want to authenticate the machines connecting to the LAN via its MAC address.
Each machine will have its own MAC address. I want to create a central database of all the known MAC address. So when the machine 1st connects to the network the PC should be authenticated via the MAC address.


I want to achieve this. Let me know how to do it.
0
 
LVL 40

Expert Comment

by:noci
ID: 40343460
I know each machine has a mac address, problem is those are not cast in concrete. they can be changed on the fly. So i you setup a port to access 10:10:10:10:10:10, I can fix my laptop to use that address., or your laptop... this can be done on the fly.
To catch valid MAC addresses is not too difficult.
802.1x wont do this for you.

There is an option in cisco switches to "authenticate" a port. i.e. allow only one MAC address on a port.
You will need to configure it on every port you have, too much of a hastle and it's a one-one link between a system and a port. This mechanism stems from the 1980's when systems could not change their MAC address. A lot has changed since then.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40343929
In short, you can use MAB for this via ISE.  It's not 802.1x per-se but it's what you want.

There is already a wired and wireless MAB authorization rule in ISE when it is first installed so all you need to do is add each MAC address to the internal endpoints database.  Job done.  Obviously configure your switches to do 802.1x and MAB.
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 40343979
To set up in ISE it is very easy

Step one import all mac addresses as "internal end points"
Step 2 Assign all the endpoints you create to a identity group.
step 3 Create an Authentication policy that says "if device is tries mac address bypass then use internal endpoints for authentication)
Step 4 Create an authorisation rule that says "if device is in identity group X (group you create above) then permit access.

So device comes on to the network, the network will ask it for 802.1x credentials, if these are not configured it will fail and after a time out the Switch will send the mac address to the ISE server (mac address bypass MAB).

This will then see it and try to match it with a device in its internal endpoint database, it this is successful it will then pass it to the next set of rules to see what to do, in this case permit.

Remember also you have to configure the switch or wireless access point to support MAB.

802.1x is configured on both the switch the device connects to an the ISE server, so the switch must have it enabled on the port and have (in the case of CISCO) the configuration to fall back to MAB if no 802.1x credentials are supplied.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40344027
Steps 3 and 4 are already done by default in ISE.  You only need to deviate from the defaults if you want to use a customized Authorization rule.

The default Authentication rule says "Wired or Wireless MAB use Internal Endpoints".
The default Authorization rule says "Permit Access".

ISE Default Authentication Rules
ISE Default Authorization Rules
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 40344264
They might not be done by default depending the choices made when installing ISE.

Any while you can rely on the default rule of "permit access" (which is only configures by default like that if you chose the more relaxed restrictions during install), the idea being that you can test policies with out the risk of it crashing every one of the network. The recommended is to have the default as "deny access" with a rule above that permits the devices you want.

I would also have a specifice group for the devices in questions so that you could have policies like

if internal group X - permit on vlan A
if internal group Y - permit on vlan B

By starting of using a strict policy approach means that down the line you wont have to re provision and cause disruption. If you can set up all 4 steps from scratch you will gain a good idea of how to created authentication and authorisation policies and manage multiply devices and provisioning.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40344267
They might not be done by default depending the choices made when installing ISE.
ISE 1.1 does this EVERY time.  ISE 1.2 installs these rules even if you choose to use the setup wizard (which isn't present in 1.1).
0
 
LVL 16

Expert Comment

by:Aaron Street
ID: 40344305
It doesn't, depending on how you run through the set up wizard it will end with either an explicit Permit or Deny statement.

Of course you can change it with a click, but it is not always "Permit"
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 40344552
Hmmm, I have an ISE in front of me right now running 1.2 update 1.  I ran through the setup wizard 3 times to simulate different scenarios and it gave me a PermitAccess Authz rule every time.  The Authc rules disappear if you enforce dot1x, but that's to be expected.

In any case, by default (as I said) the rules are configured to enable MAB.
Steps 3 and 4 are already done by default in ISE.  You only need to deviate from the defaults if you want to use a customized Authorization rule.
That would be achieved by either manually creating rules or by using the setup wizard.
0
 
LVL 1

Author Comment

by:SrikantRajeev
ID: 40363186
thanks.
I am trying this from my side.
0
 
LVL 1

Author Closing Comment

by:SrikantRajeev
ID: 40992210
Thanks
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now