topic Re: mac binding and 802.1x in Network Access Control

mac binding and 802.1x

dgaikwad — Fri, 08 Oct 2021 18:01:42 GMT

Hi Experts,

Is configuring mac binding and 802.1x together a good idea?
Has anyone done this kind of deployment earlier? Any side effects if these both are working together on the switch?
Also, can this be configured for Wireless network?

Also what are the use cases where this deployment would make sense?

Re: mac binding and 802.1x

Arne Bier — Sun, 17 Oct 2021 20:23:16 GMT

Hello

I used to believe that MAB and 802.1X were not possible for the same sessions (mutually exclusive). But you can indeed (at least I have done this with wireless SSID) combine the two. I can't recall which auth method the Cisco WLC performs first. I seem to recall it was 802.1X, followed by MAB. I have not had that use case but there was a question on the Community a long time ago where someone asked the question and I tested it.

Perhaps it could be considered an extra level of access control - I would not use "security" because MAB should never be considered secure. More like, "level of difficulty". Due to MAC randmomisation, I also don't believe that we should tie too much logic to MAC addresses. The MDM world has already moved on to UDID instead of MAC address because of randomisation.

Re: mac binding and 802.1x

dgaikwad — Wed, 20 Oct 2021 12:44:46 GMT

Yes, this makes sense why it should not be solely used for restricting access to the users.
But then in case of BYOD flow, if I am able to just require only one mac address per user, then in that case does the user device have a fixed mac address to be used for network access?
Or atleast the turn off mac randomization on their devices?

Re: mac binding and 802.1x

Arne Bier — Wed, 20 Oct 2021 21:46:34 GMT

MAC randomization could throw a spanner in the works if the user ends up fiddling with the WLAN settings on the device (i.e. turn private MAC on/off) - in the case of Cisco BYOD onboarding the MAC address that was used at the time of onboarding is baked into the client certificate and you may wish to use that as an extra Authorization step in ISE. That is not MAB, and now I understand your question about "binding" the MAC to the supplicant authentication, by means of embedding it in the client certificate. A better mechanism would be some kind of device serial or UDID which doesn't change and is unrelated to MAC address. This is already happening with MDM vendors (Microsoft Intune) and ISE 3.1 - hopefully other MDM vendors will do the same.