ISE MAB Using EAP MD5 theory

Amine ZAKARIA · ‎08-07-2021

Hello,

According this Cisco article for MAB https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html#wp392378

Which it says :

Optionally, Cisco switches can be configured to perform MAB as EAP-MD5 authentication, in which case the Service-Type attribute is set to 1 (Framed). However, because the MAC address is sent in the clear in Attribute 31 (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password. In addition, because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server is not able to easily differentiate MAB EAP requests from IEEE 802.1X requests.

Is not the Service-Type 1 is login ? and using EAP MD5 the Service-type get changed from Call-check to Service-type 2 which is Framed ? or i am missing something.

Thank you.

Marcelo Morais · ‎08-08-2021

Hi @Amine ZAKARIA ,

yes, you are correct ... take a look at: RADIUS Type - Values for RADIUS Attribute 6, Service-Type.

Note: at the link: MAC Authentication Bypass Deployment Guide, it's possible to submit a Feedback of the doc:

Hope this helps !!!

Amine ZAKARIA · ‎08-08-2021

Hello @Marcelo Morais

Thank you for your reply, i did submit Feedback more than one week but i did not receive anything, there is two articles has the same statement.

hslai · ‎08-13-2021

The article is almost 10 years old so I do not think it getting maintained.