Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8053
Views
5
Helpful
2
Replies

ISE MAB Host Lookup - PAP or EAP-MD5

Go to solution
cpaquet
Level 1
Level 1

‎10-24-2012 04:32 AM - edited ‎03-10-2019 07:43 PM

In the docs, it says that MAB uses PAP/ASCII or EAP-MD5 to pass the MAC as username / password.

In the attached setup, MAB is talking place successfully for an iPhone, without having PAP or EAP-MD5 enabled as Allowed Protocols. 

Is the "Host Lookup" under allowed protocols, provides for the MAC address to be passed in PAP / EAP-MD5 even if these two protocols are not enabled below under the Authentication Protocols section of the configuration?

How could we dictate to our switch to start using EAP-MD5 to pass the MAC?  If you look at the attached authentication details output, it lists in the AV Pair a EAP-Key.  Is that it?

Thank you.

Cath.

Labels:
Preview file
33 KB
Preview file
97 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎10-24-2012 04:07 PM

Hello Cath-

Question #1: Yes, I think you are correct. I believe that the "Host Lookup" is type of "protocol" used to process the MAB. If you look at the top of the authenticaiton session what do you under "Authentication Protocol?" My guess is that you see "Lookup" (see attached screen shot)

Question #2: You can force the switch to use EAP-MD5 by appending "EAP" to the "MAB" command under the individual ports:

     interface fa0/1

     mab eap

Things to conisider:

     1) If you make that change the default/built-in condition in ISE "Wired-MAB" will have to be changed since the

service-type radius attribute will change from "Call Check" to "Framed." Thus, your MAB devices can easily skip the MAB authenticaiton rule and be denied on the network

     2) Because the MAC address is sent in the clear text  "Attribute 31" (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password

     3) Because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server will not be able to easily differentiate MAB EAP requests from IEEE 802.1X requests

Here is a good document that you can reference as well:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html

Hope this helps...

Thank you for rating!

View solution in original post

2 Replies 2

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎10-24-2012 04:07 PM

Hello Cath-

Question #1: Yes, I think you are correct. I believe that the "Host Lookup" is type of "protocol" used to process the MAB. If you look at the top of the authenticaiton session what do you under "Authentication Protocol?" My guess is that you see "Lookup" (see attached screen shot)

Question #2: You can force the switch to use EAP-MD5 by appending "EAP" to the "MAB" command under the individual ports:

     interface fa0/1

     mab eap

Things to conisider:

     1) If you make that change the default/built-in condition in ISE "Wired-MAB" will have to be changed since the

service-type radius attribute will change from "Call Check" to "Framed." Thus, your MAB devices can easily skip the MAB authenticaiton rule and be denied on the network

     2) Because the MAC address is sent in the clear text  "Attribute 31" (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password

     3) Because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server will not be able to easily differentiate MAB EAP requests from IEEE 802.1X requests

Here is a good document that you can reference as well:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html

Hope this helps...

Thank you for rating!

Go to solution
cpaquet
Level 1
Level 1
In response to nspasov

‎10-25-2012 03:55 AM

Thanks for the explanation and for the mab eap command.  I didn't know.

Thanks also for the link to the MAB deployment guide.

Regards,

Cath.

0 Helpful
Customers Also Viewed These Support Documents