Chapter 4 Common Scenarios Using ACS

Agentless Network Access

Cisco provides two features to accommodate non-802.1x devices. For example, MAC Authentication Bypass (Host Lookup) and the Guest VLAN access by using web authentication.

ACS 5.3 supports the Host Lookup fallback mechanism when there is no 802.1x supplicant. After 802.1x times out on a port, the port can move to an open state if Host Lookup is configured and succeeds.

Related Topics

Host Lookup, page 4-13

Agentless Network Access Flow, page 4-16

Host Lookup

ACS uses Host Lookup as the validation method when an identity cannot be authenticated according to credentials (for example, password or certificate), and ACS needs to validate the identity by doing a lookup in the identity stores.

An example for using host lookup is when a network device is configured to request MAC Authentication Bypass (MAB). This can happen after 802.1x times out on a port or if the port is explicitly configured to perform authentication bypass. When MAB is implemented, the host connects to the network access device.

The device detects the absence of the appropriate software agent on the host and determines that it must identify the host according to its MAC address. The device sends a RADIUS request with service-type=10and the MAC address of the host to ACS in the calling-station-id attribute.

Some devices might be configured to implement the MAB request by sending PAP or EAP-MD5 authentication with the MAC address of the host in the user name, user password, and CallingStationID attributes, but without the service-type=10attribute.

While most use cases for host lookup are to obtain a MAC address, there are other scenarios where a device requests to validate a different parameter, and the calling-station-id attribute contains this value instead of the MAC address. For example, IP address in layer 3 use cases).

Table 4-2describes the RADIUS parameters required for host lookup use cases.

Table 4-2 RADIUS Attributes for Host Lookup Use Cases

 

Use Cases

 

 

 

 

 

 

Attribute

PAP

802.1x

EAP-MD5

 

 

 

 

RADIUS::ServiceType

Call check (with PAP or

 

 

EAP-MD5)

 

 

 

 

 

RADIUS::UserName

MAC address

Any value (usually the

MAC address

 

 

MAC address)

 

 

 

 

 

RADIUS::UserPassword

MAC address

Any value (usually the

MAC address

 

 

MAC address)

 

 

 

 

 

RADIUS::CallingStationID

MAC address

MAC address

MAC address

 

 

 

 

ACS supports host lookup for the following identity stores:

Internal hosts

External LDAP

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

OL-24201-01

 

 

4-13

 

 

 

 

 

Page 77
Image 77
Cisco Systems OL-24201-01 manual Host Lookup, Use Cases Attribute, 802.1x