Cisco Cisco NAC Appliance 4.9.5 技术手册
NAC: LDAP Integration with ACS 5.x and Later
Configuration Example
Configuration Example
Document ID: 113566
Contents
Introduction
Prerequisites
Requirements
Components Used
Conventions
Background Information
Configuration
Flowchart Diagram
Beacon Endpoint Profiler System Configuration for MAB
ACS Configuration for MAB and Utilization of Beacon as an External User Database
Create an Authorization Profile
Create an LDAP Database Connection
Configure Access Services
Switch Configuration for MAC Authentication Bypass
Verify
Related Information
Prerequisites
Requirements
Components Used
Conventions
Background Information
Configuration
Flowchart Diagram
Beacon Endpoint Profiler System Configuration for MAB
ACS Configuration for MAB and Utilization of Beacon as an External User Database
Create an Authorization Profile
Create an LDAP Database Connection
Configure Access Services
Switch Configuration for MAC Authentication Bypass
Verify
Related Information
Introduction
This document provides a sample configuration in order to configure Beacon and Cisco Secure Access
Control System (ACS) 5.x and later to enable Cisco devices configured for MAC Authentication Bypass
(MAB) to effectively and efficiently authenticate non−802.1X capable devices in the authenticated network.
Control System (ACS) 5.x and later to enable Cisco devices configured for MAC Authentication Bypass
(MAB) to effectively and efficiently authenticate non−802.1X capable devices in the authenticated network.
Cisco has implemented a feature called MAB on their switches, as well as requisite support in ACS, in order
to accommodate endpoints in the 802.1X−enabled networks that cannot authenticate through 802.1X. This
functionality ensures that endpoints attempting to connect to the 802.1X−enabled network that are not
equipped with 802.1X functionality, for example, do not have a functional 802.1X supplicant, can be
authenticated before admission, as well as have basic network usage policy enforced throughout their
connection.
to accommodate endpoints in the 802.1X−enabled networks that cannot authenticate through 802.1X. This
functionality ensures that endpoints attempting to connect to the 802.1X−enabled network that are not
equipped with 802.1X functionality, for example, do not have a functional 802.1X supplicant, can be
authenticated before admission, as well as have basic network usage policy enforced throughout their
connection.
MAB enables the network to be configured to admit identified devices with the use of their MAC address as
the primary credential when the device fails to participate in the 802.1X protocol. In order for MAB to be
deployed and utilized effectively, the environment must have a means to identify the devices in the
environment that are not capable of 802.1X authentication, and maintain an up−to−date database of these
devices over time as moves, adds and changes occur. This list needs to be populated and maintained in the
Authentication server (ACS) manually, or through some alternative means in order to ensure that the devices
that authenticate on MAC are completed and valid at any point in time.
the primary credential when the device fails to participate in the 802.1X protocol. In order for MAB to be
deployed and utilized effectively, the environment must have a means to identify the devices in the
environment that are not capable of 802.1X authentication, and maintain an up−to−date database of these
devices over time as moves, adds and changes occur. This list needs to be populated and maintained in the
Authentication server (ACS) manually, or through some alternative means in order to ensure that the devices
that authenticate on MAC are completed and valid at any point in time.
The Beacon Endpoint Profiler can automate the process of the identification of non−authenticating endpoints,
those without 802.1X supplicants, and the maintenance of the validity of these endpoints in networks of
varying scale on the Endpoint Profiling and Behavior Monitoring functionality. Through a standard LDAP
interface, the Beacon system can serve as an External Database or Directory of the endpoints to be
authenticated through MAB. When a MAB request is received from the edge infrastructure, the ACS can
query the Beacon system in order to determine whether or not a given endpoint should be admitted to the
network based on the most current information about the endpoint known by Beacon. This prevents the need
those without 802.1X supplicants, and the maintenance of the validity of these endpoints in networks of
varying scale on the Endpoint Profiling and Behavior Monitoring functionality. Through a standard LDAP
interface, the Beacon system can serve as an External Database or Directory of the endpoints to be
authenticated through MAB. When a MAB request is received from the edge infrastructure, the ACS can
query the Beacon system in order to determine whether or not a given endpoint should be admitted to the
network based on the most current information about the endpoint known by Beacon. This prevents the need