05-13-2022 12:45 AM - edited 05-13-2022 12:48 AM
Hi guys,
I'm using h3c switch and ise for the mab, and "If MAC-based accounts are used, the access device by default sends the source MAC address of a packet as the username and password to the RADIUS server for authentication",
then when i'm using pap, whatever password i configure on ISE for that mac address user, it can always pass the authenticaion,
and when i'm using chap, even if that mac address user's password is that mac address itself on ise, it can't pass the authenticaion.
So i'm confused and wondering the mechanism here.
Solved! Go to Solution.
05-13-2022 05:49 AM
MAB is a MAC Authentication Bypass - the name itself shows that there is no true authentication with this method. To add PAP or CHAP to the process means that you are going from a non-protocol bypass of authentication to a protocol-based authentication process - this should fail - by design - 100% of the time.
05-13-2022 05:25 AM
MAB = MAC Address BYPASS. It is NOT a form of authentication. The MAC address is the only form of credential here. You will need to write your policies to use profiling or static MAC bypass endpoint groups.
05-13-2022 05:49 AM
MAB is a MAC Authentication Bypass - the name itself shows that there is no true authentication with this method. To add PAP or CHAP to the process means that you are going from a non-protocol bypass of authentication to a protocol-based authentication process - this should fail - by design - 100% of the time.
05-13-2022 06:56 AM
there are misconfig
So config MAB only not MAB EAP.
05-15-2022 06:43 PM
@jinyuanbao - don't configure CHAP on the H3C switch. Use PAP. As the other guys already said, this is not authentication, hence we don't care to protect or interpret the password (even though the switch sends the same contents for User-Name in the User-Password)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide