topic MAB Configuration Issue in Network Access Control

MAB Configuration Issue

Imran Ahmad — Mon, 11 Mar 2019 02:42:10 GMT

with acs 4.2 installed in my network, PEAP, EAP-TLS, md5... authentications work normally. But Mac-Based-Authentication doesnt work at all. i tested every thing but no luck .

This is what i have setup on Swith for MAB:

aaa new-model

aaa authentication login default none

aaa authentication dot1x default group radius

radius-server host 192.168.2.16 auth-port 1645 acct-port 1646 key cisco

dot1x system-auth-control

interface FastEthernet0/1

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x mac-auth-bypass

On ACS server, i created Netword-Profile for MAB, i added those Agentless hosts mac-adds, Even i created User-Name&password by those Agentless hosts mac-adds on acs, ..... still nothing seems to be working. i have selected ACS_Internal-Database for mac authentication.

On ACS while i check the Failed-attempt log, nothing is logged there. i dont know where is the issue.

Please tell me where im wrong on my config?

MAB Configuration Issue

Imran Ahmad — Tue, 23 Oct 2012 07:56:42 GMT

After long investigation, i found that Agentless hosts are authenticated but after 10-minutes. i mean it takes arround 10-minutes to authenticate agentless hosts . any expert knows where is the issue ????

But with other authentication methods like peap, eap-tls my acs works/authenticates very fast.

any idea, why it is taking 10-minutes to auth ?

MAB Configuration Issue

Inayat Bunglawala — Tue, 23 Oct 2012 19:16:38 GMT

Hi Imran. I am doing some reading/research in preparation for implementing 802.1X/ISE on our network. I think the reason you are seeing a delay is that by default your settings are looking for dot1x authentication first and only if the ACS receives no response to the EAP requests will MAB kick in. So, I think you need to adjust your EAP authentication times and/or change the authentication order so that it checks MAB first then dot1x.

MAB Configuration Issue

Imran Ahmad — Wed, 24 Oct 2012 11:44:53 GMT

Hello Inayat,

Yes you were right. i changed the auth-timeouts, and it is authenticating MAB-clients very fast.

Thank you for your support

I need a user-guide on how to Setup Authentication for Wireless users, we have agentfull and agentless wireless-hosts (having Iphones...). so the authentication methods will be md5, eap-tls and mab.

I will use (LinkSys-Wireless Router) as the authenticator for wireless-hosts ?

I need a user-guide for how to setup the wireless-hosts( supplicants) and how to setup Link-Sys and the Cisco-Switch in the middle. if you have any link, plz refer me

MAB Configuration Issue

Inayat Bunglawala — Thu, 25 Oct 2012 11:46:44 GMT

Hi Imran,

The best step by step documentation guide I have found for implementing 802.1X/ISE is here:

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

Hope that helps.

rgrds,

inayat

MAB Configuration Issue

Venkatesh Attuluri — Mon, 15 Jul 2013 08:50:39 GMT

This is the sample configuration you need to have on switch interface for MAB to work

interface GigabitEthernet0/1
description IP Phone + PC
switchport access vlan 10
switchport mode access
switchport voice vlan 40
ip access-group ACL-ALLOW in
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator