Solved

802.1x MAC Authentication

Posted on 2014-09-24
14
96 Views
Last Modified: 2015-09-23
I have Cisco ISE. I want to use Cisco ISE for authenticating the PCs, Laptops connecting to the network switches using MAC Address.
If the known devices whose MAC address are available in the ISE should authenticate. Non MAC authenticated devices should be blocked access.
How to configure this in the Cisco ISE....
0
Comment
Question by:SrikantRajeev
  • 4
  • 4
  • 3
  • +2
14 Comments
 
LVL 3

Expert Comment

by:Soufiane Adil, Ph.D
Comment Utility
Hi

All you need to do is follow the steps provided by Cisco in the link below:

Configuring Authentication Policies

Sou
0
 
LVL 1

Author Comment

by:SrikantRajeev
Comment Utility
Just wanted to understand with Cisco ISE will I be able to authenticate the end machines via MAC address.
If MAC address is there in the Cisco ISE database then the device needs to authenticate.
If not the device will not be part of the network.
Let me know if this can be achieved.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
802.1x is for authenticating MACHINES without depending on changable MAC addresses.

Using 802.1x a machine first talks to the switch authenticates itself using a certificate and if the machine presented data is acceptable the switch opens up the port with a set configuration.(might depend on the data presented).

So there is no MAC address part of the authentication configuration. Most of the time you will need a radius server as well to implement the securing configuration.
0
 
LVL 1

Author Comment

by:SrikantRajeev
Comment Utility
My requirement is that I want to authenticate the machines connecting to the LAN via its MAC address.
Each machine will have its own MAC address. I want to create a central database of all the known MAC address. So when the machine 1st connects to the network the PC should be authenticated via the MAC address.


I want to achieve this. Let me know how to do it.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
I know each machine has a mac address, problem is those are not cast in concrete. they can be changed on the fly. So i you setup a port to access 10:10:10:10:10:10, I can fix my laptop to use that address., or your laptop... this can be done on the fly.
To catch valid MAC addresses is not too difficult.
802.1x wont do this for you.

There is an option in cisco switches to "authenticate" a port. i.e. allow only one MAC address on a port.
You will need to configure it on every port you have, too much of a hastle and it's a one-one link between a system and a port. This mechanism stems from the 1980's when systems could not change their MAC address. A lot has changed since then.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
In short, you can use MAB for this via ISE.  It's not 802.1x per-se but it's what you want.

There is already a wired and wireless MAB authorization rule in ISE when it is first installed so all you need to do is add each MAC address to the internal endpoints database.  Job done.  Obviously configure your switches to do 802.1x and MAB.
0
 
LVL 16

Expert Comment

by:Aaron Street
Comment Utility
To set up in ISE it is very easy

Step one import all mac addresses as "internal end points"
Step 2 Assign all the endpoints you create to a identity group.
step 3 Create an Authentication policy that says "if device is tries mac address bypass then use internal endpoints for authentication)
Step 4 Create an authorisation rule that says "if device is in identity group X (group you create above) then permit access.

So device comes on to the network, the network will ask it for 802.1x credentials, if these are not configured it will fail and after a time out the Switch will send the mac address to the ISE server (mac address bypass MAB).

This will then see it and try to match it with a device in its internal endpoint database, it this is successful it will then pass it to the next set of rules to see what to do, in this case permit.

Remember also you have to configure the switch or wireless access point to support MAB.

802.1x is configured on both the switch the device connects to an the ISE server, so the switch must have it enabled on the port and have (in the case of CISCO) the configuration to fall back to MAB if no 802.1x credentials are supplied.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Steps 3 and 4 are already done by default in ISE.  You only need to deviate from the defaults if you want to use a customized Authorization rule.

The default Authentication rule says "Wired or Wireless MAB use Internal Endpoints".
The default Authorization rule says "Permit Access".

ISE Default Authentication Rules
ISE Default Authorization Rules
0
 
LVL 16

Expert Comment

by:Aaron Street
Comment Utility
They might not be done by default depending the choices made when installing ISE.

Any while you can rely on the default rule of "permit access" (which is only configures by default like that if you chose the more relaxed restrictions during install), the idea being that you can test policies with out the risk of it crashing every one of the network. The recommended is to have the default as "deny access" with a rule above that permits the devices you want.

I would also have a specifice group for the devices in questions so that you could have policies like

if internal group X - permit on vlan A
if internal group Y - permit on vlan B

By starting of using a strict policy approach means that down the line you wont have to re provision and cause disruption. If you can set up all 4 steps from scratch you will gain a good idea of how to created authentication and authorisation policies and manage multiply devices and provisioning.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
They might not be done by default depending the choices made when installing ISE.
ISE 1.1 does this EVERY time.  ISE 1.2 installs these rules even if you choose to use the setup wizard (which isn't present in 1.1).
0
 
LVL 16

Expert Comment

by:Aaron Street
Comment Utility
It doesn't, depending on how you run through the set up wizard it will end with either an explicit Permit or Deny statement.

Of course you can change it with a click, but it is not always "Permit"
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
Comment Utility
Hmmm, I have an ISE in front of me right now running 1.2 update 1.  I ran through the setup wizard 3 times to simulate different scenarios and it gave me a PermitAccess Authz rule every time.  The Authc rules disappear if you enforce dot1x, but that's to be expected.

In any case, by default (as I said) the rules are configured to enable MAB.
Steps 3 and 4 are already done by default in ISE.  You only need to deviate from the defaults if you want to use a customized Authorization rule.
That would be achieved by either manually creating rules or by using the setup wizard.
0
 
LVL 1

Author Comment

by:SrikantRajeev
Comment Utility
thanks.
I am trying this from my side.
0
 
LVL 1

Author Closing Comment

by:SrikantRajeev
Comment Utility
Thanks
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now