• Advertisement

Mac address based authentication with TACACS

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.

Re:Mac address based authentication with TACACS

Postby Guest » Sun Jul 09, 2006 8:24 am


In this section we are not really looking at the TACACS options. We are actually looking at what the ACS Server supports for EAP authentication types:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wp349274

ACS supports both protocols Radius and TACACS, but TACACS does not support the EAP methods...so if we have a Radius Client (Switch, AP...) then we can setup MAC authentication, please look at this example:

http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/standalone_mab_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1056526

Guest
 

Advertisement

Re:Mac address based authentication with TACACS

Postby Guest » Sun Jul 09, 2006 10:00 am


Ok, thank you.

So how can I configure MAC address based authentication with ACS to grand wireless access only to specific users?

Guest
 

Re:Mac address based authentication with TACACS

Postby Guest » Sun Jul 09, 2006 10:16 am


Here is an example on how to setup an AP against ACS:

Set Up the AP on the ACS

Complete these steps to set up the AP on the ACS:

  1. On the ACS server, click Network Configuration on             the left.

  2. To add a AAA client, click Add             Entry.

  3. Enter these values in the boxes:

    • AAA Client IP Address—IP_of_your_AP

    • Key—Make up a key (make sure the key matches the AP shared secret                 key)

    • Authenticate Using—RADIUS (Cisco Aironet)

  4. Click Submit & Restart.

MAC Authentication

Add a MAC Address to ACS

Complete these steps:

  1. From the ACS main menu, click on the User Setup button.

  2. In the User text box, enter the MAC address to add to the user             database.

    Note: The MAC address must be exactly as it is sent by the AP for both                 the username and the password. If authentication fails, check the failed                 attempts log to see how the MAC is being reported by the AP. Do not cut and                 paste the MAC address, as this can introduce phantom characters.

  3. On the User Setup screen, enter the MAC address in the Secure-PAP             password text box.

    Note: The MAC address must be exactly as it is sent by the AP for both                 the username and the password. If authentication fails, check the failed                 attempts log to see how the MAC is being reported by the AP. Do not cut and                 paste the MAC address, as this can introduce phantom characters.

  4. Check the Separate (CHAP/MS-CHAP) box.

  5. Enter a password for CHAP/MS-CHAP (this password should be             different from the MAC address).

  6. Click Submit.

IOS AP Web Interface

Complete these steps:

  1. Choose Security > Server             Manager.

  2. From the Current Server List drop-down list, choose             RADIUS.

  3. Enter the ACS IP address.

  4. Enter the shared secret (must match the key in             ACS).

  5. Click Apply.

  6. From the EAP Authentication drop-down list, choose the RADIUS             server's IP address.

  7. Click Apply.

SSID Manager (WEP Encryption Only)

Complete these steps for WEP encryption only:

  1. Choose the SSID from the Current SSID List, or enter a new SSID in             the SSID field.

  2. Check the Open Authentication box.

  3. From the drop-down list, choose with EAP.

  4. Check the Network EAP box.

  5. Click Apply.

Encryption Manager (WEP Encryption Only)

Complete these steps for WEP encryption only:

  1. Choose Security > Encryption             Manager.

  2. Click the WEP Encryption radio button.

  3. From the drop-down list, choose Mandatory.

  4. Click the Encryption Key 1 radio button.

  5. Enter the key.

  6. From the Key Size drop-down list, choose 128.

  7. Click Apply.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a13.shtml#mac

Guest
 

Re:Mac address based authentication with TACACS

Postby Guest » Sun Jul 09, 2006 11:10 am


Thank you!

Guest
 

Re: Mac address based authentication with TACACS

Postby blairnic » Tue Sep 20, 2011 7:16 am

TACACS is primarily used for authentication of administrators accessing Cisco network devices but can be used and is often used for authentication of end users trying to obtain general access to the network. RADIUS is the reverse. It is primarily used for authentication of end users trying to obtain general access to the network but can also be used for authentication of administrators accessing Cisco network devices.

WLAN authentication using EAP requires the authenticator (a fat AP or more likely a controller because thin APs are being used) and an authentication server to exchange EAP messages. EAP attributes have been defined for the RADIUS protocol, but not TACACS. Therefore EAP authentication requires RADIUS.

Cisco ACS supports both RADIUS and TACACS. You can use TACACS for general (non-EAP) user authentication and network device administrator authentication. You can only use RADIUS for EAP authentication of WLAN users.

The user directory (e.g. AD) can be external to ACS and ACS can authenticate to RADIUS and TACACS authentication requests using the same authentication server.
blairnic
Hello I'm new here
 
Posts: 1
Joined: Tue Sep 20, 2011 7:04 am

PreviousNext


  • Advertisement


Similar topics


Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 2 guests