Re: Endpoint sending MAC for authentication

yash10 · ‎12-06-2023

Hi all,

We have recently deployed Cisco ISE for authentication purpose, but over wired connection when we plug the lan cable & apply the policy on the meraki switch port, for some users its working fine but on other devices the endpoint is sending MAC address for authentication insted of host name & because of this reason the radius server cant find the user in domain & rejects the request.

Key points :-

The wired auto config policy is set to automatic & started.
The user is present in the domain.
Windows version is win10 & win11.

MHM Cisco World · ‎12-07-2023

Because MAB uses the MAC address as a username and password, make sure that the RADIUS server can differentiate MAB requests from other types of requests for network access. This precaution prevents other clients from attempting to use a MAC address as a valid credential. Cisco switches uniquely identify MAB requests by setting Attribute 6 (Service-Type) to 10 (Call-Check) in a MAB Access-Request message. Therefore, you can use Attribute 6 to filter MAB requests at the RADIUS server.

Optionally, Cisco switches can be configured to perform MAB as EAP-MD5 authentication, in which case the Service-Type attribute is set to 1 (Framed). However, because the MAC address is sent in the clear in Attribute 31 (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password. In addition, because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server is not able to easily differentiate MAB EAP requests from IEEE 802.1X requests.

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html

MHM