Anyone here played with Cisco ACS

[oddyager]

and tied in mac-address authentication? I'm thinking about doing authentication from the switch port based on approved mac-addresses (from the ACS server). I can get this to work fine but it requires a lot of maintenance. I have to manually add in or remove mac-addresseses when needed and I was hoping ACS could point to some database which I can have setup to update addresses dynamically (I already have a system where it collects each machine's mac daily). This can be done for user authentication but I don't see an option for mac-addresses. I'm assuming there has to be a way if this is applied to networks with hundreds to thousands of machines?

Anyone deployed something similar to this? I'm curious how you folks handled the backend and maintenance of it.

Thanks!

 

[nweaver]

I would use user auth instead of mac...I use ACS, but never do the mac stuff, and most of my ACS is wireless oriented.

 

[spyordie007]

I agree, doing it by MAC is a lot of work to maintain however if you do it by user (or more specifically account) authentication you can tie it in to something else and keep your time spent configuring ACS minimal.

 

[spidey07]

isn't this what vpms is for? I think that is outdated though.

I know you can do an easy to administer mac address authentication (ACS isn't the right tool), just I haven't had a need for it in a long time because everything is 802.1x now.

 

[oddyager]

Yes, its part of the dot1x rollout. I want to be able to restrict what machines are allowed to get on our vlan and then any machine that doesn't get recognized I drop them on another vlan that only has internet access. Basically we have alot of clients that bring in their laptops and I don't want them to be able to plug it anywhere and be able to get on the vlan I dont' want them to be in.

 

[Cooky]

Clean Access can do what you just described, but you're looking at some serious money and time...not even Cisco is well prepared to support it.
Every time we have a problem w/ CCA, we have to keep calling to re-queue our service requests.

 

[spidey07]

Originally posted by: Cooky
Clean Access can do what you just described, but you're looking at some serious money and time...not even Cisco is well prepared to support it.
Every time we have a problem w/ CCA, we have to keep calling to re-queue our service requests.

off topic...

They aren't delivering what they promised with NAC, and I hate clean access. It doesn't scale for the normal 3 tired layer3 architecture.

Others out there are doing it much better. Foundry/enterasys to name a few.

 

[nweaver]

Nac is getting better, I promise. Most of the problem is the vendors not supporting it. Nac V2 has just fired up (Cisco cert for partners) and adds stuff. Plus the new ACS version (4.x) helps too, and adds NAC to wireless.

 

[spidey07]

nmweaver,

you know me, I love them. But I've beating them up over this for quite a few years now.

I agree with you, "it's getting better"

But they made a crucial promise at a crucial time and didn't deliver. It will be interesting to see how it will play out. Frankly I think other network companies offer more. But then you weigh that with the operational aspects of cisco?

well, we're not talking about technological advantages, but operational one.

 

[oddyager]

Oh nuts. Then there is no way to tie ACS into some database then for mac-addresses. I think I pursued NAC at some a year ago but gave it up due to costs. This idea using dot1x seemed like a much cheaper and easier alternative but I guess it comes with a price in being its not very manageable when involved with huge networks.

 

[jlazzaro]

if your interested in straight mac authentication, check out MetaInfo MetaIP (http://www.metainfo.com).