cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1478
Views
6
Helpful
4
Replies

About ise mab password

jinyuanbao
Level 1
Level 1

Hi guys,

I'm using h3c switch and ise for the mab, and "If MAC-based accounts are used, the access device by default sends the source MAC address of a packet as the username and password to the RADIUS server for authentication", 

then when i'm using pap, whatever password i configure on ISE for that mac address user, it can always pass the authenticaion,

and when i'm using chap, even if that mac address user's password is that mac address itself on ise, it can't pass the authenticaion.

So i'm confused and wondering the mechanism here.

1 Accepted Solution

Accepted Solutions

Charlie Moreton
Cisco Employee
Cisco Employee

MAB is a MAC Authentication Bypass - the name itself shows that there is no true authentication with this method.  To add PAP or CHAP to the process means that you are going from a non-protocol bypass of authentication to a protocol-based authentication process - this should fail - by design - 100% of the time.  

 

View solution in original post

4 Replies 4

MAB = MAC Address BYPASS.  It is NOT a form of authentication.  The MAC address is the only form of credential here.  You will need to write your policies to use profiling or static MAC bypass endpoint groups.

Charlie Moreton
Cisco Employee
Cisco Employee

MAB is a MAC Authentication Bypass - the name itself shows that there is no true authentication with this method.  To add PAP or CHAP to the process means that you are going from a non-protocol bypass of authentication to a protocol-based authentication process - this should fail - by design - 100% of the time.  

 

there are misconfig 
So config MAB only not MAB EAP.

Arne Bier
VIP
VIP

@jinyuanbao - don't configure CHAP on the H3C switch. Use PAP. As the other guys already said, this is not authentication, hence we don't care to protect or interpret the password (even though the switch sends the same contents for User-Name in the User-Password)

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: