Using the MAC Address Authentication Server
This topic describes how to use the MAC address authentication server.
MAC Address Authentication Server Overview
This section describes Ivanti Policy Secure MAC address authentication solution.
Understanding MAC Address Authentication
MAC address authentication is port-based security typically deployed at the edge of the network to enable secure access for non-user devices, such as IP phones, printers, and network attached storage devices. The Ivanti MAC address authentication solution uses Ivanti Policy Secure 802.1x framework. When a device connects to a switch, the switch forwards the MAC address as the log in credential to Ivanti Policy Secure RADIUS server. With MAC-based authentication, the MAC address serves as both the username and the password. The RADIUS server consults the authentication server and sends back a RADIUS return attribute based on authentication results.
BEST PRACTICE: MAC-based authentication is not as secure as agent access or agentless access authentication. MAC addresses are not generally guarded as secrets, so an attacker can spoof a MAC address and impersonate a device to gain network access. To reduce risk of an exploit, create a special VLAN for each device type.
MAC Address Authentication Server Feature Support
The MAC address authentication server is a local authentication server that supports both a local database of records and integration with LDAP servers. You can add entries manually or by reference to LDAP servers. The address table for each local MAC address authentication server is limited to 500 entries. We recommend you use LDAP for large-scale projects.
Interoperability Requirements and Limitations
Integration with an LDAP server requires the LDAP server to communicate with Ivanti Policy Secure internal interface.
MAC Address Authentication Framework Configuration Overview
The MAC address authentication framework is similar to the user access management framework. It involves configuration of a MAC address authentication server, MAC address realm, and roles.
To implement the MAC address authentication framework:
- If necessary, use the Authentication Protocols Sets page to add the protocols that your Ethernet switches use for MAC authentication to Ivanti Policy Secure 802.1x protocol set. Select Authentication > Signing In > Authentication Protocols Sets.
The HP and Cisco switches can use CHAP and EAP-MD5-Challenge protocols for MAC address authentication with the username (the MAC address) as the clear text password. By default, the Nortel switch uses PAP, with a password in the format .<MAC Address>. We recommend using PAP with the Nortel switch.
- Create LDAP server configurations for the external LDAP servers used to maintain MAC address records.
- Create a MAC address authentication server.
- Create Users.
Radius Return Attributes from the dictionaries is pre-populated to the Server Catalog of MAC Auth server so that they are available under the custom attributes for a specific user.
- Create roles for agentless access.
- Create a MAC address authentication realm that uses the MAC address authentication server and role mapping rules that sort MAC address authentication requests into roles according to your security policy design.
802.1x Framework Configuration Overview
The MAC address authentication solution uses Ivanti Policy Secure 802.1x framework.
To implement the 802.1x framework:
- Complete the Location Group configuration.
- Complete the RADIUS Client configuration.
- Complete the RADIUS Return Attributes Policy configuration.
Ethernet Switch MAC Address Authentication Configuration Overview
The MAC address solution depends on the Ethernet switch configuration.
To configure MAC address authentication on the Ethernet switch:
- Configure the switch as an 802.1x authenticator and enable MAC RADIUS protocols.
- Configure RADIUS client communication with Ivanti Policy Secure RADIUS server.
- Configure Ethernet switching options and VLANs to provision VLANs for non-user devices.
Configuring the EX Series Switch
The nonsupplicant devices, such as VoIP phones, connect to the network through an EX Series switch using MAC RADIUS authentication. You configure the following EX Series features to support this solution:
- Configure the switch as an 802.1x authenticator and enable MAC RADIUS protocols.
- Configure RADIUS client communication with Ivanti Policy Secure RADIUS server.
- Configure Ethernet switching options and VLANs to provision a VLAN for VoIP phones.
The following example shows commands that configure the ge-0/1/0.0 and ge-0/1/1.0 interfaces as 802.1x authenticators, enable MAC RADIUS protocols, and create a reference to the authentication profile used for integration with Ivanti Policy Secure RADIUS server:
set protocols dot1x authenticator authentication-profile-name pulsesecure-access-profile
set protocols dot1x authenticator interface ge-0/1/0.0 supplicant multiple
set protocols dot1x authenticator interface ge-0/1/0.0 transmit-period 15
set protocols dot1x authenticator interface ge-0/1/0.0 mac-radius
set protocols dot1x authenticator interface ge-0/1/0.0 maximum-requests 2
set protocols dot1x authenticator interface ge-0/1/0.0 server-fail vlan-name enterprise
set protocols dot1x authenticator interface ge-0/1/1.0 supplicant multiple
set protocols dot1x authenticator interface ge-0/1/1.0 quiet-period 5
set protocols dot1x authenticator interface ge-0/1/1.0 transmit-period 15
set protocols dot1x authenticator interface ge-0/1/1.0 mac-radius
set protocols dot1x authenticator interface ge-0/1/1.0 supplicant-timeout 15
set protocols dot1x authenticator interface ge-0/1/1.0 maximum-requests 2
set protocols dot1x authenticator interface ge-0/1/1.0 guest-vlan guest
set protocols dot1x authenticator interface ge-0/1/1.0 server-reject-vlan vlan-name guest
set protocols dot1x authenticator interface ge-0/1/1.0 server-fail vlan-name enterprise
The following example shows commands that configure the access profile for Ivanti Policy Secure RADIUS server and the RADIUS client connection to it:
set access radius-server 10.0.1.5 port 1812
set access radius-server 10.0.1.5 secret "$9$JLZHmzF/t0I69Icrv7N24aZikmfT3/C"
set access radius-server 10.0.1.5 timeout 5
set access radius-server 10.0.1.5 retry 3
set access profile pulsesecure-access-profile authentication-order radius
set access profile pulsesecure-access-profile radius authentication-server 10.0.1.5
set access profile pulsesecure-access-profile radius accounting-server 10.0.1.5
set access profile pulsesecure-access-profile accounting order radius
The following example shows commands that configure the Ethernet switching options and VLAN used for VoIP phones:
set ethernet-switching-options voip interface ge-0/0/10.0 vlan VoIP_Phone
set ethernet-switching-options voip interface ge-0/0/11.0 vlan VoIP_Phone
set ethernet-switching-options voip interface ge-0/0/8.0 vlan VoIP_Phone
set ethernet-switching-options voip interface ge-0/0/9.0 vlan VoIP_Phone
set ethernet-switching-options voip interface ge-0/0/6.0 vlan VoIP_Phone
set ethernet-switching-options voip interface ge-0/0/7.0 vlan VoIP_Phone
set ethernet-switching-options voip interface ge-0/0/4.0 vlan VoIP_Phone
set ethernet-switching-options voip interface ge-0/0/5.0 vlan VoIP_Phone
set ethernet-switching-options voip interface ge-0/1/0.0 vlan VoIP_Phone
set ethernet-switching-options voip interface ge-0/1/1.0 vlan VoIP_Phone
set vlans VoIP_Phone description "VoIP Phones"
set vlans VoIP_Phone vlan-id 5
The following example shows the complete configuration hierarchy for the Ethernet switch configuration:
system {
host-name Demo_EX;
root-authentication {
encrypted-password "$1$OOuTCh1K$/Z6JTJ/I9BnjTsKAoefLS."; ## SECRET-DATA
}
log in {
user admin {
full-name Administrator;
uid 2000;
class super-user;
authentication {
encrypted-password "$1$RKLp.iDP$m//eueOcF.rExsnQXuZNb/"; ## SECRET-DATA
}
}
}
services {
ssh;
telnet;
web-management {
http;
}
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
}
}
chassis {
alarm {
management-ethernet {
link-down ignore;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ enterprise guest remediation VoIP_Phone ];
}
native-vlan-id default;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ enterprise guest remediation VoIP_Phone ];
}
native-vlan-id default;
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ enterprise guest remediation VoIP_Phone ];
}
native-vlan-id default;
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ enterprise guest remediation VoIP_Phone ];
}
native-vlan-id default;
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/1/0 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
ge-0/1/1 {
unit 0 {
family ethernet-switching {
port-mode access;
}
}
}
vlan {
unit 0 {
family inet {
address 10.0.1.10/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.1.1;
}
}
protocols {
dot1x {
authenticator {
authentication-profile-name pulsesecure-access-profile;
interface {
ge-0/1/0.0 {
supplicant multiple;
transmit-period 15;
mac-radius;
maximum-requests 2;
server-fail vlan-name enterprise;
}
ge-0/1/1.0 {
supplicant multiple;
quiet-period 5;
transmit-period 15;
mac-radius;
supplicant-timeout 15;
maximum-requests 2;
guest-vlan guest;
server-reject-vlan guest;
server-fail vlan-name enterprise;
}
}
}
}
}
access {
radius-server {
10.0.1.5 {
port 1812;
secret "$9$JLZHmzF/t0I69Icrv7N24aZikmfT3/C"; ## SECRET-DATA
timeout 5;
retry 3;
}
}
profile pulsesecure-access-profile {
authentication-order radius;
radius {
authentication-server 10.0.1.5;
accounting-server 10.0.1.5;
}
accounting {
order radius;
}
}
}
ethernet-switching-options {
voip {
interface ge-0/0/10.0 {
vlan VoIP_Phone;
}
interface ge-0/0/11.0 {
vlan VoIP_Phone;
}
interface ge-0/0/8.0 {
vlan VoIP_Phone;
}
interface ge-0/0/9.0 {
vlan VoIP_Phone;
}
interface ge-0/0/6.0 {
vlan VoIP_Phone;
}
interface ge-0/0/7.0 {
vlan VoIP_Phone;
}
interface ge-0/0/4.0 {
vlan VoIP_Phone;
}
interface ge-0/0/5.0 {
vlan VoIP_Phone;
}
interface ge-0/1/0.0 {
vlan VoIP_Phone;
}
interface ge-0/1/1.0 {
vlan VoIP_Phone;
}
}
}
vlans {
VoIP_Phone {
vlan-id 5;
}
default {
vlan-id 1;
interface {
ge-0/0/4.0;
ge-0/0/5.0;
}
l3-interface vlan.0;
}
enterprise {
vlan-id 2;
interface {
inactive: ge-0/0/5.0;
ge-0/0/6.0;
ge-0/0/7.0;
ge-0/1/0.0;
ge-0/1/1.0;
}
}
guest {
vlan-id 3;
interface {
ge-0/0/8.0;
ge-0/0/9.0;
}
}
remediation {
vlan-id 4;
interface {
ge-0/0/10.0;
ge-0/0/11.0;
}
}
}
poe {
interface all;
}
In addition to the configuration for the MAC authentication solution shown above, you can also configure the switch to send data (SNMP traps) to the Beacon Endpoint Profiler for use in profiling. The following example commands configure SNMP traps to the Beacon Endpoint Profiler. The Beacon Endpoint Profiler can use the traps to build profile entries:
set snmp description EX4200-VOIP-Switch
set snmp contact [email protected]
set snmp view jweb-view-all oid .1 include
set snmp community public view jweb-view-all
set snmp community public authorization read-only
set snmp community public clients <BeaconEndpointProfilerIPaddressOrSubnet>
set snmp trap-group Beacon version v2
set snmp trap-group Beacon categories link
set snmp trap-group Beacon targets <BeaconEndpointProfilerIPaddress>
To verify that the Beacon Endpoint Profiler can read the EX Series MIB, run the following command from the Beacon Endpoint Profiler command line:
snmpwalk -v 2c -c public <EXseriesIPaddress>