View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0091 - ACS 5.4 Wired and Wireless MAC Authentication Bypass (MAB) (Part 2)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
The video shows you how to configure MAC Authentication Bypass (MAB) for both wired an wireless on Cisco ACS 5.4. This is to allow non-802.1x device such as IP phone and printer to access an 802.1x-enable network by authenticating the devices based on their MAC addresses. We will configure a Cisco switch and WLC to support MAB, and use Cisco Access Point and a Windows 7 computer to test wired and wireless MAB respectively.
Part 2 of the video shows switch and WLC related configuration, and authentication testing.
  • ACS MAC Authentication Bypass
  • Identity Group and Internal Host
  • Policy Element
    • Authorization Profile
  • Service Selection Rule
  • Access Services
    • Authentication Policy
    • Authorization Policy
    • RADIUS Attributes
  • Switch and WLC 802.1X Configuration

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


Can you show us example on how can i combine MAC+AD authentication through ACS? I wanted to have my wireless client use both MAC and AD credentials for the authentication. Can we use two identity store for the authentication?


In addition to PEAP authentication, please create the MAC address as a host and add it to an Identity Group. Then create a Condition to check for the Identity group under Authorization policy. Check out this video for more detail.

Thank you for the feedback. I just tested the way you described. For some reason my Authorization policy is failing me when I combine the PEAP with identity group. when I go without identity group I am successful. Any thoughts?

Condition is this: AD1:External group: xxxxx
Identity groups: RDSUers (I have my iphone mac address in this User identity group)

I tried with compound condition: radius service type call check and nas port type 802.11 (with or without no success)

Any feedback would be appreciated.

This is the error message:

username 88-53-95-69-3b-06 R_D Users PEAP (EAP-MSCHAPv2) xxxxx x.x.x.x x-x-x 15039 Selected Authorization Profile is DenyAccess

do you have an email address where I can send my snapshot for you to look.

Finally I have a success. I have to create a end station filters and use it in the authorization policy for it to work. Thanks for the help though. How can I edit my comments after submission?

I must have thought of ISE on my first reply :-) . Adding device MAC to an Identity group and use the group in the authorization condition only work with MAB since the MAC comes in as the username. Since what you are using is 802.1X, the actual username comes in and being matched to the identity group and that's why it wouldn't match the rule you created.
Using Endpoint filter as you described is certainly a proper way to limit access based on "callin-id". Glad to hear that things are working and thank you for sharing your solution. 
PS. You can try to edit your comment to see if it works now.

Thank you so much...this website is awesome!!!

I also want to implement AD+Mac authentication as I want to do the same sorry I am confused with End station filter :
What was added as a end station filter ip or mac address or cliDNIS.
Please help with feedback.

Lab Minutes Classifieds