Support User Manuals

Cisco Systems OL-24201-01 Camera Accessories User Manual

Open as PDF

of 650

4-13

User Guide for Cisco Secure Access Control System 5.3

OL-24201-01

Chapter 4 Common Scenarios Using ACS

Agentless Network Access

Cisco provides two features to accommodate non-802.1x devices. For example, MAC Authentication

Bypass (Host Lookup) and the Guest VLAN access by using web authentication.

ACS 5.3 supports the Host Lookup fallback mechanism when there is no 802.1x supplicant. After 802.1x

times out on a port, the port can move to an open state if Host Lookup is configured and succeeds.

Related Topics

• Host Lookup, page 4-13

• Agentless Network Access Flow, page 4-16

Host Lookup

ACS uses Host Lookup as the validation method when an identity cannot be authenticated according to

credentials (for example, password or certificate), and ACS needs to validate the identity by doing a

lookup in the identity stores.

An example for using host lookup is when a network device is configured to request MAC

Authentication Bypass (MAB). This can happen after 802.1x times out on a port or if the port is

explicitly configured to perform authentication bypass. When MAB is implemented, the host connects

to the network access device.

The device detects the absence of the appropriate software agent on the host and determines that it must

identify the host according to its MAC address. The device sends a RADIUS request with

service-type=10 and the MAC address of the host to ACS in the calling-station-id attribute.

Some devices might be configured to implement the MAB request by sending PAP or EAP-MD5

authentication with the MAC address of the host in the user name, user password, and CallingStationID

attributes, but without the service-type=10 attribute.

While most use cases for host lookup are to obtain a MAC address, there are other scenarios where a

device requests to validate a different parameter, and the calling-station-id attribute contains this value

instead of the MAC address. For example, IP address in layer 3 use cases).

Table 4-2 describes the RADIUS parameters required for host lookup use cases.

ACS supports host lookup for the following identity stores:

• Internal hosts

• External LDAP

Table 4-2 RADIUS Attributes for Host Lookup Use Cases

Attribute

Use Cases

PAP 802.1x EAP-MD5

RADIUS::ServiceType — Call check (with PAP or

EAP-MD5)

—

RADIUS::UserName MAC address Any value (usually the

MAC address)

MAC address

RADIUS::UserPassword MAC address Any value (usually the

MAC address)

MAC address

RADIUS::CallingStationID MAC address MAC address MAC address

previous next