10-24-2012 04:32 AM - edited 03-10-2019 07:43 PM
In the docs, it says that MAB uses PAP/ASCII or EAP-MD5 to pass the MAC as username / password.
In the attached setup, MAB is talking place successfully for an iPhone, without having PAP or EAP-MD5 enabled as Allowed Protocols.
Is the "Host Lookup" under allowed protocols, provides for the MAC address to be passed in PAP / EAP-MD5 even if these two protocols are not enabled below under the Authentication Protocols section of the configuration?
How could we dictate to our switch to start using EAP-MD5 to pass the MAC? If you look at the attached authentication details output, it lists in the AV Pair a EAP-Key. Is that it?
Thank you.
Cath.
Solved! Go to Solution.
10-24-2012 04:07 PM
Hello Cath-
Question #1: Yes, I think you are correct. I believe that the "Host Lookup" is type of "protocol" used to process the MAB. If you look at the top of the authenticaiton session what do you under "Authentication Protocol?" My guess is that you see "Lookup" (see attached screen shot)
Question #2: You can force the switch to use EAP-MD5 by appending "EAP" to the "MAB" command under the individual ports:
interface fa0/1
mab eap
Things to conisider:
1) If you make that change the default/built-in condition in ISE "Wired-MAB" will have to be changed since the
service-type radius attribute will change from "Call Check" to "Framed." Thus, your MAB devices can easily skip the MAB authenticaiton rule and be denied on the network
2) Because the MAC address is sent in the clear text "Attribute 31" (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password
3) Because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server will not be able to easily differentiate MAB EAP requests from IEEE 802.1X requests
Here is a good document that you can reference as well:
Hope this helps...
Thank you for rating!
10-24-2012 04:07 PM
Hello Cath-
Question #1: Yes, I think you are correct. I believe that the "Host Lookup" is type of "protocol" used to process the MAB. If you look at the top of the authenticaiton session what do you under "Authentication Protocol?" My guess is that you see "Lookup" (see attached screen shot)
Question #2: You can force the switch to use EAP-MD5 by appending "EAP" to the "MAB" command under the individual ports:
interface fa0/1
mab eap
Things to conisider:
1) If you make that change the default/built-in condition in ISE "Wired-MAB" will have to be changed since the
service-type radius attribute will change from "Call Check" to "Framed." Thus, your MAB devices can easily skip the MAB authenticaiton rule and be denied on the network
2) Because the MAC address is sent in the clear text "Attribute 31" (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password
3) Because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server will not be able to easily differentiate MAB EAP requests from IEEE 802.1X requests
Here is a good document that you can reference as well:
Hope this helps...
Thank you for rating!
10-25-2012 03:55 AM
Thanks for the explanation and for the mab eap command. I didn't know.
Thanks also for the link to the MAB deployment guide.
Regards,
Cath.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide