4-13
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter4 Common Scenarios Using ACS
Agentless Network Access
The default security policy says that 802.1x authentication must succeed before access to the network is
granted. Therefore, by default, non-802.1x-capable devices cannot get a ccess to an 802.1x-protected
network.
Although many devices increasingly support 802.1x, there will always be d evices that require network
connectivity, but do not, or cannot, support 802.1x. Examples of such devices inc lude network printers,
badge readers, and legacy servers. You must make some provision for these devices.
Cisco provides two features to accommodate non-802.1x devices. For example, MAC Authentication
Bypass (Host Lookup) and the Guest VLAN access by using web authentication.
ACS 5.4 supports the Host Lookup fallback mechanism when there is no 802.1x supplicant. After 802.1x
times out on a port, the port can move to an open state if Host Lookup is configured and succeeds.
Related Topics
Host Lookup, page 4-13
Agentless Network Access Flow, page4-16
Host Lookup
ACS uses Host Lookup as the validation method when an identity cannot be authenticated according to
credentials (for example, password or certificate), and ACS needs to validate the iden tity by doing a
lookup in the identity stores.
An example for using host lookup is when a network device is configur ed to request MAC
Authentication Bypass (MAB). This can happen after 802.1x times out on a port or if the port is
explicitly configured to perform authentication bypass. When MAB is implemented, the host connects
to the network access device.
The device detects the absence of the appropriate software agent on the host and determines that it must
identify the host according to its MAC address. The device sends a RADIUS request with
service-type=10 and the MAC address of the host to ACS in the calling-station-id attribute.
Some devices might be configured to implement the MAB request by sending PAP or EAP-MD5
authentication with the MAC address of the host in the user name, user password, and CallingStationID
attributes, but without the service-type=10 attribute.
While most use cases for host lookup are to obtain a MAC address, there are other scenarios where a
device requests to validate a different parameter, and the calling-station-id attribute contains this value
instead of the MAC address. For example, IP address in layer 3 use cases) .
Table 4 -3 describes the RADIUS parameters required for host lookup use cases.
Table4-3 RADIUS Attributes for Host Lookup Use Cases
Attribute
Use Cases
PAP 802.1x EAP-MD5
RADIUS::ServiceType Call check (with PAP or
EAP-MD5)
RADIUS::UserName MAC address Any value (usually the
MAC address)
MAC address
RADIUS::UserPassword MAC address Any value (usually the
MAC address)
MAC address
RADIUS::CallingStationID MAC address MAC address MAC address