12-06-2023 01:21 AM - edited 12-06-2023 01:23 AM
Hi all,
We have recently deployed Cisco ISE for authentication purpose, but over wired connection when we plug the lan cable & apply the policy on the meraki switch port, for some users its working fine but on other devices the endpoint is sending MAC address for authentication insted of host name & because of this reason the radius server cant find the user in domain & rejects the request.
Key points :-
12-07-2023 06:54 AM
Because MAB uses the MAC address as a username and password, make sure that the RADIUS server can differentiate MAB requests from other types of requests for network access. This precaution prevents other clients from attempting to use a MAC address as a valid credential. Cisco switches uniquely identify MAB requests by setting Attribute 6 (Service-Type) to 10 (Call-Check) in a MAB Access-Request message. Therefore, you can use Attribute 6 to filter MAB requests at the RADIUS server.
Optionally, Cisco switches can be configured to perform MAB as EAP-MD5 authentication, in which case the Service-Type attribute is set to 1 (Framed). However, because the MAC address is sent in the clear in Attribute 31 (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password. In addition, because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server is not able to easily differentiate MAB EAP requests from IEEE 802.1X requests.
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide