802.1x and MAB authentication using a Workgroup

latenaite2011 · ‎06-05-2018

Just wondering what is the best way to test 802.1x and MAB authentication using a workgroup without an AD or certificate environment.

Arne Bier · ‎06-05-2018

you can fake this with a clever lab setup - all the tools are available in open source. Have a look at my 3 part series of how to do this

Rapid prototyping ISE Policies without any real networking hardware (part 1)

Rapid prototyping ISE Policies without any real networking hardware (part 2)

Rapid prototyping ISE Policies without any real networking hardware (part 3)

I use this all the time to test EAP-EAP, EAP-TLS, PAP/ASCII auth

latenaite2011 · ‎06-06-2018

Hi Arne,

Excellent.

I will try all that you have suggested.

I do have a Cisco Catalyst switch, a Windows 7 (just not an AD or
Certificate server) so was wondering also if there is a
quick to match on the Windows Workstation (non-domain) attribute to just
create an authentication and authorization policy to make things work.

Thank you!

Arne Bier · ‎06-06-2018

well you could always create local identities (accounts) on ISE and then authenticate against those. Not sure what you mean exactly by matching on workgroup attributes? Maybe an example (I am not a Microsoft jockey ;-> )

latenaite2011 · ‎06-06-2018

Hi Anre,

I am good with this. Thank you for the reply.

I was able to test your radclient tool and works fine. Thank you!

I was able to get MAB authentication working on a laptop that was
configured part of a Endpoint group and was trying to test with a different
laptop newly plugged in. I wasn't able to connect, which is fail, but the
"show authen session" fails that is it Authz Failed (see below), but I
don't see the Mab authentication ( I have made sure that 802.1x is
disabled).

Port 7 is configured similar to the one that was working. So why wouldn't
it show mab for method?

Secondly, I was testing port 2/0/6 again and had disconnected the cable for
a different test and thought I would try connect, now that computer can't
connect and don't get authen successful. I noticed that the mac address of
that computer is not under the Endpoint Group that I added it to (which
matched the policy that I created it for). Why would a mac address get
deleted from a Identity Group under Work Centers, Device Admin - Identity
Groups - Endpoint Identity Groups - Workgroup..

Gi2/0/7 0026.b99f.09b5 N/A DATA Authz Failed
C0A8015D000001E20C2BCE18

Does the mac address get deleted every time a computer disconnects?

So what would happen to we manually add a mac address to a Whitelist
EndPoint Identity group and that gets deleted if the computer is
disconnected, we have to add it back everytime?

Arne Bier · ‎06-06-2018

Although I understand the theory of MAB, I don't have much experience with wired switches at the moment. I mostly deal with MAB in the context of wireless guest.

If you are using profiling then perhaps the endpoint gets moved from one Endpoint Identity Group to another. I don't use profiling so I wouldn't know. When I have placed a MAC address in an Endpoint Identity Group then it has always remained there, unless I deleted it via the Context Visibility page, or if I deleted a Sponsored Guest Account via the Sponsor Portal (and that is then the expected behaviour).

latenaite2011 · ‎06-06-2018

Hi Arne,

Yes, looks like it was because of me deleting the endpoint from the Context
Visibility.

That is how I tested with dot1x too so have to see how to go about being
able to test this again under 802.1x if the mac has
been provided.

thank you!