802.1x MAC Authentication

I have Cisco ISE. I want to use Cisco ISE for authenticating the PCs, Laptops connecting to the network switches using MAC Address.
If the known devices whose MAC address are available in the ISE should authenticate. Non MAC authenticated devices should be blocked access.
How to configure this in the Cisco ISE....
LVL 1
SrikantRajeevAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Soufiane Adil, Ph.DIT, Network Architect - CCNP/CCDPCommented:
Hi

All you need to do is follow the steps provided by Cisco in the link below:

Configuring Authentication Policies

Sou
0
SrikantRajeevAuthor Commented:
Just wanted to understand with Cisco ISE will I be able to authenticate the end machines via MAC address.
If MAC address is there in the Cisco ISE database then the device needs to authenticate.
If not the device will not be part of the network.
Let me know if this can be achieved.
0
nociSoftware EngineerCommented:
802.1x is for authenticating MACHINES without depending on changable MAC addresses.

Using 802.1x a machine first talks to the switch authenticates itself using a certificate and if the machine presented data is acceptable the switch opens up the port with a set configuration.(might depend on the data presented).

So there is no MAC address part of the authentication configuration. Most of the time you will need a radius server as well to implement the securing configuration.
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

SrikantRajeevAuthor Commented:
My requirement is that I want to authenticate the machines connecting to the LAN via its MAC address.
Each machine will have its own MAC address. I want to create a central database of all the known MAC address. So when the machine 1st connects to the network the PC should be authenticated via the MAC address.


I want to achieve this. Let me know how to do it.
0
nociSoftware EngineerCommented:
I know each machine has a mac address, problem is those are not cast in concrete. they can be changed on the fly. So i you setup a port to access 10:10:10:10:10:10, I can fix my laptop to use that address., or your laptop... this can be done on the fly.
To catch valid MAC addresses is not too difficult.
802.1x wont do this for you.

There is an option in cisco switches to "authenticate" a port. i.e. allow only one MAC address on a port.
You will need to configure it on every port you have, too much of a hastle and it's a one-one link between a system and a port. This mechanism stems from the 1980's when systems could not change their MAC address. A lot has changed since then.
0
Craig BeckCommented:
In short, you can use MAB for this via ISE.  It's not 802.1x per-se but it's what you want.

There is already a wired and wireless MAB authorization rule in ISE when it is first installed so all you need to do is add each MAC address to the internal endpoints database.  Job done.  Obviously configure your switches to do 802.1x and MAB.
0
Aaron StreetInfrastructure ManagerCommented:
To set up in ISE it is very easy

Step one import all mac addresses as "internal end points"
Step 2 Assign all the endpoints you create to a identity group.
step 3 Create an Authentication policy that says "if device is tries mac address bypass then use internal endpoints for authentication)
Step 4 Create an authorisation rule that says "if device is in identity group X (group you create above) then permit access.

So device comes on to the network, the network will ask it for 802.1x credentials, if these are not configured it will fail and after a time out the Switch will send the mac address to the ISE server (mac address bypass MAB).

This will then see it and try to match it with a device in its internal endpoint database, it this is successful it will then pass it to the next set of rules to see what to do, in this case permit.

Remember also you have to configure the switch or wireless access point to support MAB.

802.1x is configured on both the switch the device connects to an the ISE server, so the switch must have it enabled on the port and have (in the case of CISCO) the configuration to fall back to MAB if no 802.1x credentials are supplied.
0
Craig BeckCommented:
Steps 3 and 4 are already done by default in ISE.  You only need to deviate from the defaults if you want to use a customized Authorization rule.

The default Authentication rule says "Wired or Wireless MAB use Internal Endpoints".
The default Authorization rule says "Permit Access".

ISE Default Authentication Rules
ISE Default Authorization Rules
0
Aaron StreetInfrastructure ManagerCommented:
They might not be done by default depending the choices made when installing ISE.

Any while you can rely on the default rule of "permit access" (which is only configures by default like that if you chose the more relaxed restrictions during install), the idea being that you can test policies with out the risk of it crashing every one of the network. The recommended is to have the default as "deny access" with a rule above that permits the devices you want.

I would also have a specifice group for the devices in questions so that you could have policies like

if internal group X - permit on vlan A
if internal group Y - permit on vlan B

By starting of using a strict policy approach means that down the line you wont have to re provision and cause disruption. If you can set up all 4 steps from scratch you will gain a good idea of how to created authentication and authorisation policies and manage multiply devices and provisioning.
0
Craig BeckCommented:
They might not be done by default depending the choices made when installing ISE.
ISE 1.1 does this EVERY time.  ISE 1.2 installs these rules even if you choose to use the setup wizard (which isn't present in 1.1).
0
Aaron StreetInfrastructure ManagerCommented:
It doesn't, depending on how you run through the set up wizard it will end with either an explicit Permit or Deny statement.

Of course you can change it with a click, but it is not always "Permit"
0
Craig BeckCommented:
Hmmm, I have an ISE in front of me right now running 1.2 update 1.  I ran through the setup wizard 3 times to simulate different scenarios and it gave me a PermitAccess Authz rule every time.  The Authc rules disappear if you enforce dot1x, but that's to be expected.

In any case, by default (as I said) the rules are configured to enable MAB.
Steps 3 and 4 are already done by default in ISE.  You only need to deviate from the defaults if you want to use a customized Authorization rule.
That would be achieved by either manually creating rules or by using the setup wizard.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SrikantRajeevAuthor Commented:
thanks.
I am trying this from my side.
0
SrikantRajeevAuthor Commented:
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.