topic Hi Fnu,can we apply this in Network Access Control

mac authentication bypass

sherif safwat — Mon, 11 Mar 2019 05:45:12 GMT

we have dot1x and MAB features implemented in a Juniper infrastructure where we can bypass non dot1x devices using local database in the switches themselves.

now we will migrate to cisco and need to deploy the same mab scenario locally on the switches without the need for radius for mab authentication.

how can this be done ?

Note : Juniper command as below

set protocol dot1x authenticator static xx:xx:xx:xx:xx:xx

where the xx:xx:xx:xx:xx:xx is the mac required to bypass

Hi Sherif,You will need the

Kanwaljeet Singh — Mon, 25 May 2015 19:58:47 GMT

Hi Sherif,

You will need the RADIUS server and mac address list created on it for MAB to work as a fall back method or standalone MAB.

More details can be found at:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-config-mab.html

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hi FNU,Actually we use

sherif safwat — Mon, 25 May 2015 20:18:46 GMT

Hi FNU,

Actually we use Microsoft NAP for authentication with active directory,and it's not logical to create more than 500 account in active directory with our devices mac-addresses as a username and a password to be authenticated!!

Juniper is smart on this as we can easily match of the OUI part of the mac addresses locally on the switch and keeping the NAP only for dot1x authentication.

I hope there will be a similar method for that on cisco

Hi Sherif,I don't see such an

Kanwaljeet Singh — Mon, 25 May 2015 20:36:02 GMT

Hi Sherif,

I don't see such an option available. You would need Radius server or LDAP or AD integrated with switch/router for MAB to work. I don't see an option to define local MAC-ADDRESS list on switch/router itself.

May be some one has ideas for an easy way to import/create the Mac-address DB on AD.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hi Fnu,can we apply this

sherif safwat — Tue, 26 May 2015 07:08:18 GMT

Hi Fnu,

can we apply this situation using microsoft NAP and AD but without creating this bulk of accounts (mac address as a username and password) ??

It's really strange that something like that is not available on cisco as a leader for the switching market !!!

it's done , noway to do it

sherif safwat — Wed, 27 May 2015 15:05:58 GMT

it's done , noway to do it from Cisco switch itself .

can be done from Microsoft NAP to accept these account without authentication and provide Vlan directly