topic You have to set a default in Network Access Control

MAC Authentication Bypass authentication

mohameddz — Mon, 11 Mar 2019 06:50:31 GMT

Hi all;

I have a question if some one can help me;

I want to impliment MAB authentication (base on MAC addresse) in my network because some of my equipment don't support 802.1x;

when the equipment that I plug on the Switch is authenticated there is no problem he can get an IP @from the DHCP server that's OK.

now my question is; when the equipment is not authenticated I want him to passe in another VLAN (as resticted VLAN) or make some restriction via ACL, is that possible with MAB ??

thank's .

M.Benchabane

Hi

Francesco Molino — Mon, 06 Jun 2016 17:09:38 GMT

Which AAA server are you using?

With ISE and/or ACS, you can have a default policy putting everyone who has not been authenticated to a specific vlan with limited access (guest vlan).

Or through switches, on port configuration, you can use the command authentication event fail that will put users on dedicated vlan with limited access with an option that's telling put in this vlan only when their authentication have failed after 3 attempts.

Hope this is what your were looking for.

Thanks

Hi

mohameddz — Tue, 07 Jun 2016 09:30:55 GMT

thanks for your replay;

I'm using RadL as AAA server; please I think that I misse some thing; should I mak the port in a VLAN for normal Access (switchpor access vlan X) and make the commande (authentication event fail action authorize vlan Y) ?

thanks.

You have to set a default

Francesco Molino — Tue, 07 Jun 2016 11:26:32 GMT

You have to set a default vlan whith limited access for all users before they get authenticated. If authentication is ok, radius will push a new vlan and/or an acl as well.

If authentication failed, then you can push another vlan for guest or remediation purpose.

The default vlan will allow only dns, dhcp and radius access in order to try to authenticate users.

thank you so much for your

mohameddz — Tue, 07 Jun 2016 11:37:22 GMT

thank you so much for your help and time

here is the conf in the interface:

Switch#sh run int fa1/0/13
Building configuration...

Current configuration : 284 bytes
!
interface FastEthernet1/0/13
switchport access vlan 2
switchport mode access
authentication event fail action authorize vlan 3
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
end

is that correct ?

Yes.

Francesco Molino — Tue, 07 Jun 2016 12:47:40 GMT

Yes.

Don't forget those 2 commands in order to choose the order and priority of authentication type you want on each ports:

authentication order dot1x mab
authentication priority dot1x mab