Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1430
Views
0
Helpful
3
Replies

802.1x certificate authentication & MAC authorization

darknair
Level 1
Level 1

‎02-10-2017 02:50 AM - last edited on ‎03-25-2019 05:35 PM by Community Manager

I have ACS 5.8 and I am trying to use x509 authentication but use the devices mac addresses to identify which authorization policy the devices would match. I am not having any issues getting them to authenticate with the certificates but I can not figure out how to reasonably get them to uniquely match an authorization policy.

There are approx 3K devices and they are all separated throughout the network and require different vlan assignments. I would like to use their MAC addresses to uniquely identify each device for its authorization policy but I am uncertain how to do that with X509 authentication. I want all of my authentication and authorization to be handled by ACS with no external identity stores. If I could use the internal host identity store for authorization policy selection and x509 certificates for authentication then that would be ideal.

Is there a way to have an internal database of MACs or other uniquely identified information I could reference in the authorization policy? I have used MAB which references an identity group that is used in the authorization policy for uniquely assigning each device that connects.

Perfect scenario: A device starts 802.1x authentication and presents its certificate to ACS then ACS uses the devices MAC address to match it to an authorization policy to be assigned a authorization profile.

Thanks for any help!

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎02-11-2017 01:51 PM

Hi

I'm sorry but not understood what you want to achieve.

You have 3k devices and would like to apply 1 rule out mac address?

Anyhow, ACS have internal identity store for hosts and users. 

You're authenticating your devices through certificates. Who is your CA? Your AD? If yes, why not using group membership of hosts to apply specific authorization rules? 

What type of certificates are you using? User or machine?

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

darknair
Level 1
Level 1
In response to Francesco Molino

‎02-11-2017 05:20 PM

I think i have got it figured out. I will try and use end device filters to filter by mac address after certificate authentication. I can apply the end device filters in the authorization policy and that should do it.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to darknair

‎02-11-2017 06:38 PM

Ok. Let me know if you need further help. 

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents