https://community.cisco.com/t5/network-access-control/ise-mab-host-lookup-pap-or-eap-md5/m-p/2048672#M184539 <HTML><HEAD></HEAD><BODY><P>Hello Cath-</P><P></P><P><STRONG>Question #1:</STRONG> Yes, I think you are correct. I believe that the "Host Lookup" is type of "protocol" used to process the MAB. If you look at the top of the authenticaiton session what do you under "Authentication Protocol?" My guess is that you see "Lookup" (see attached screen shot)</P><P></P><P><STRONG>Question #2: </STRONG>You can force the switch to use EAP-MD5 by appending <SPAN style="text-decoration: underline;">"EAP" </SPAN> to the <SPAN style="text-decoration: underline;">"MAB"</SPAN> command under the individual ports:</P><P>&nbsp;&nbsp;&nbsp;&nbsp; interface fa0/1</P><P>&nbsp;&nbsp;&nbsp;&nbsp; mab eap</P><P></P><P><STRONG>Things to conisider</STRONG>:</P><P><STRONG>&nbsp;&nbsp;&nbsp;&nbsp; 1) </STRONG>If you make that change the default/built-in condition in ISE "<STRONG>Wired-MAB</STRONG>" will have to be changed since the </P><P>service-type radius attribute will change from "Call Check" to "Framed." Thus, your MAB devices can easily skip the MAB authenticaiton rule and be denied on the network</P><P>&nbsp;&nbsp;&nbsp;&nbsp; <STRONG>2) </STRONG>Because the MAC address is sent in the clear text&nbsp; "Attribute 31" (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password</P><P>&nbsp;&nbsp;&nbsp;&nbsp; <STRONG>3) </STRONG>Because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server will not be able to easily differentiate MAB EAP requests from IEEE 802.1X requests</P><P></P><P>Here is a good document that you can reference as well:</P><P><A href="http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html">http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html</A></P><P></P><P>Hope this helps...</P><P></P><P>Thank you for rating!<IMG src="http://supportforums.cisco.com/sites/default/files/legacy/7/6/0/109067-MAB.jpg" class="jive-image" /></P></BODY></HTML> Wed, 24 Oct 2012 23:07:40 GMT nspasov 2012-10-24T23:07:40Z https://community.cisco.com/t5/network-access-control/ise-mab-host-lookup-pap-or-eap-md5/m-p/2048671#M184535 <P>In the docs, it says that MAB uses PAP/ASCII or EAP-MD5 to pass the MAC as username / password.</P><P>In the attached setup, MAB is talking place successfully for an iPhone, without having PAP or EAP-MD5 enabled as Allowed Protocols.&nbsp; </P><P>Is the "Host Lookup" under allowed protocols, provides for the MAC address to be passed in PAP / EAP-MD5 even if these two protocols are not enabled below under the Authentication Protocols section of the configuration?</P><P>How could we dictate to our switch to start using EAP-MD5 to pass the MAC?&nbsp; If you look at the attached authentication details output, it lists in the AV Pair a EAP-Key.&nbsp; Is that it?</P><P></P><P>Thank you.</P><P></P><P>Cath.</P> Mon, 11 Mar 2019 02:43:01 GMT https://community.cisco.com/t5/network-access-control/ise-mab-host-lookup-pap-or-eap-md5/m-p/2048671#M184535 cpaquet 2019-03-11T02:43:01Z https://community.cisco.com/t5/network-access-control/ise-mab-host-lookup-pap-or-eap-md5/m-p/2048672#M184539 <HTML><HEAD></HEAD><BODY><P>Hello Cath-</P><P></P><P><STRONG>Question #1:</STRONG> Yes, I think you are correct. I believe that the "Host Lookup" is type of "protocol" used to process the MAB. If you look at the top of the authenticaiton session what do you under "Authentication Protocol?" My guess is that you see "Lookup" (see attached screen shot)</P><P></P><P><STRONG>Question #2: </STRONG>You can force the switch to use EAP-MD5 by appending <SPAN style="text-decoration: underline;">"EAP" </SPAN> to the <SPAN style="text-decoration: underline;">"MAB"</SPAN> command under the individual ports:</P><P>&nbsp;&nbsp;&nbsp;&nbsp; interface fa0/1</P><P>&nbsp;&nbsp;&nbsp;&nbsp; mab eap</P><P></P><P><STRONG>Things to conisider</STRONG>:</P><P><STRONG>&nbsp;&nbsp;&nbsp;&nbsp; 1) </STRONG>If you make that change the default/built-in condition in ISE "<STRONG>Wired-MAB</STRONG>" will have to be changed since the </P><P>service-type radius attribute will change from "Call Check" to "Framed." Thus, your MAB devices can easily skip the MAB authenticaiton rule and be denied on the network</P><P>&nbsp;&nbsp;&nbsp;&nbsp; <STRONG>2) </STRONG>Because the MAC address is sent in the clear text&nbsp; "Attribute 31" (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password</P><P>&nbsp;&nbsp;&nbsp;&nbsp; <STRONG>3) </STRONG>Because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server will not be able to easily differentiate MAB EAP requests from IEEE 802.1X requests</P><P></P><P>Here is a good document that you can reference as well:</P><P><A href="http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html">http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html</A></P><P></P><P>Hope this helps...</P><P></P><P>Thank you for rating!<IMG src="http://supportforums.cisco.com/sites/default/files/legacy/7/6/0/109067-MAB.jpg" class="jive-image" /></P></BODY></HTML> Wed, 24 Oct 2012 23:07:40 GMT https://community.cisco.com/t5/network-access-control/ise-mab-host-lookup-pap-or-eap-md5/m-p/2048672#M184539 nspasov 2012-10-24T23:07:40Z https://community.cisco.com/t5/network-access-control/ise-mab-host-lookup-pap-or-eap-md5/m-p/2048673#M184546 <HTML><HEAD></HEAD><BODY><P>Thanks for the explanation and for the <STRONG>mab eap</STRONG> command.&nbsp; I didn't know.</P><P>Thanks also for the link to the MAB deployment guide.</P><P>Regards,</P><P>Cath.</P></BODY></HTML> Thu, 25 Oct 2012 10:55:56 GMT https://community.cisco.com/t5/network-access-control/ise-mab-host-lookup-pap-or-eap-md5/m-p/2048673#M184546 cpaquet 2012-10-25T10:55:56Z