802.1X using Mac Authentication with Cisco ACS or FreeRadius

[TYT]

I am trying to perform MAC authentication testing on Alcatel 6400/6850 on AOS 6.4.4 mainly for non 802.1X devices.

802.1X for domain machines were done successfully on Microsoft NPS.

However, for non domain machines, I am trying to find a centralized method as NPS require us to create domain accounts based on MAC address for non 802.1X devices which I am not keen.

I have tested on Cisco ACS server v4.2 and was able to create a network profile that allow me to input mac address for authentication. It worked without issue on Cisco Switches with our without dynamic vlan assignment. However, when authenticated with 6400/6850, without/with dynamic vlan roaming assignment, in its default vlan, it was able to get authenticated successfully.

However, when dynamic vlan assignment is in use, the VLAN ID could not change. I selected the IETF radius for the Alcatel switches.

i.e. 802.1x slot/port non-supplicant policy authentication pass group-mobility fail block
or
802.1x slot/port non-supplicant policy authentication pass default vlan fail block

I understand that Alcatel send the mac address in a string of capital letters/numbers but Cisco recognized MAC format only in :, - or xxxx.xxxx.xxxx. Not sure if this will affect.

Is there anyway we can covert the mac address to a format understand by Cisco ACS server?

Or if not, how can we use freeradius to perform 802.1X with MAC authentication for non supplicants?

Many Thx!

[one6f]

Use Knowledge Base to search NPS or Freeradius or search this forum.
For MAC auth in radius you need to use MAC address of non-supplicant as user name and password. In freeradius you can also use rewrite function for adjustment of MAC addresses. Let me know if you want more details

[silvio]

Hi,
in addition to the infos from one6f:
I have heard (but not tested, now no access to cli-guide) that with 6.4.4 it should be possible to use other format of mac-address (instead of strict capital letters ...). please look in CLI-guide 6.4.4 for this - and let us know.
regards
Silvio

[TYT]

Thx one6f...Do u have info for free radius?

Silvio, any idea what command is that to use other format? Thx

[devnull]

freeradius is mor or less self explaining.
Have the switch as radius client (/etc/freeradius/clients.conf) and define a radiuskey
client 192.168.1.0/24 {
secret = Radiuskey123
shortname = My Tests
}

Have a "MAC-Adress" User (in this case return "voip" UNP) in /etc/freeradius/users
#My Phone
"0004132828B4" Cleartext-Password:= "0004132828B4"
Filter-id= "voip"

Thats more or less all.
There a howtos for basic setup (Certificate creation aso).

freeradius -X
starts freeradius in debug mode.

[silvio]

Hi,
I haven't found any command in cli-guide 6.4.4 and in release notes.
So it seems that my info was wrong. i have forwarded this question to alcatel - and wait for answer....
regards
silvio

[Elie]

Hi,
I'm taking the occasion to post in your topic because I would also like to do some Mac Authentication with automatic VLAN assignment. But I am ok to use Domain User with MAC address name (and reversible encryption password just for them) so that I can use NPS. So sorry I won't help you on that but, but I would really appreciate your help as I am stuck, and it must be because of a small thing that I can't find.

In fact, I did not succeed in finding some kind of best practice switch configuration for that !Probably because it is supposed to be simple... But I can't get it to work, and the switch won't even send any Radius traffic to my NPS server ! In fact, what I am sure is that I can't see any Radius traffic on my windows server using wireshark. I must miss something that might be obvious for someone who already did that !

So, here is all my very short configuration, starting with the simple vlan part.
Radius (with dhcp and AD) is connected to port 1/1 with IP 192.168.101.7 and I want to enable MAC auth on port 1/11 so that the radius server will move the client to vlan 10 if it succeed.

Code: Select all

! VLAN :
vlan 1 enable name "VLAN 1"
vlan 10 enable name "DATA10"
vlan 10 port default 1/1
vlan 10 port default 1/2
vlan port mobile 1/11
vlan port 1/11 802.1x enable

Is the NAS supposed to communicate with Radius server using its interface IP ?

Code: Select all

! IP :
ip service all
ip interface "VLAN10" address 192.168.101.251 mask 255.255.255.0 vlan 10 ifindex 2

And here is the radius configuration (I have added the "aaa auth mac" but I think it's useless right ?

Code: Select all

! AAA :
aaa radius-server "radtest" host 192.168.101.7 key 825d480a367e1e062c78f41501f2106c retransmit 3 timeout 2 auth-port 1812 acct-port 1813
aaa authentication console "local"
aaa authentication 802.1x radtest
aaa authentication mac radtest
! PARTM :
! AVLAN :
! 802.1x :
802.1x 1/11 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/11 captive-portal session-limit 12 retry-count 3
802.1x 1/11 supp-polling retry 2
802.1x 1/11 supplicant policy authentication pass group-mobility default-vlan fail block
802.1x 1/11 non-supplicant policy block
802.1x 1/11 captive-portal policy authentication pass default-vlan fail block

All lines about 802.1x configuration of mobility port were automatically generated. As VLAN assignment will be sent by radius server, I don't have to change anything right ?

So, I don't think I can make a more simple configuration, but I don't have any radius traffic on my Radius server when I plug a client on port 1/11. Am I missing something ?? Do I have to tell him anything else in order that it will contact my radius server ? The port and IP that it has to use to communicate from maybe ?

Thanks for your help, cause I am sure that I am wasting a lot of time on something that should be simple !

[devnull]

Wrong..
MAC Auth is a non-supplicant and your policy says: block..

So you need to change that line to something like (This is a line i use)
802.1x 1/11 non-supplicant policy authentication pass group-mobility vlan 32 block fail default-vlan
Which means:
If mac ok honor vlan that is returned (or UNP)
if no vlan is returned but mac is ok move to vlan 32
If auth fails move to default vlan

For UNP to work you need a line like
aaa user-network-profile name "VOIP" vlan 111

(you must create the UNP -VLAN assignement on every Switch, but this is great if you e.g. have different VoIP VLANS in different buildings.. so in another building the switch has
aaa user-network-profile name "VOIP" vlan 211

[Elie]

Thanks for your reply ! So I understand now why the switch was not trying to ask my radius server for authentication. I just told him to refuse directly non-supplicant and only ask credential for supplicants...

And thanks for all the explanation and advices, I will try that after the weekend and keep you updated !

[Elie]

Just a little new message to thank you again devnull, you were correct !
Thanks for the advices, and good luck to TYT and silvio with the initial problem in this topic !