10-21-2012 08:21 AM - edited 03-10-2019 07:42 PM
with acs 4.2 installed in my network, PEAP, EAP-TLS, md5... authentications work normally. But Mac-Based-Authentication doesnt work at all. i tested every thing but no luck .
This is what i have setup on Swith for MAB:
aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
radius-server host 192.168.2.16 auth-port 1645 acct-port 1646 key cisco
!
dot1x system-auth-control
!
interface FastEthernet0/1
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x mac-auth-bypass
On ACS server, i created Netword-Profile for MAB, i added those Agentless hosts mac-adds, Even i created User-Name&password by those Agentless hosts mac-adds on acs, ..... still nothing seems to be working. i have selected ACS_Internal-Database for mac authentication.
On ACS while i check the Failed-attempt log, nothing is logged there. i dont know where is the issue.
Please tell me where im wrong on my config?
10-23-2012 12:56 AM
After long investigation, i found that Agentless hosts are authenticated but after 10-minutes. i mean it takes arround 10-minutes to authenticate agentless hosts . any expert knows where is the issue ????
But with other authentication methods like peap, eap-tls my acs works/authenticates very fast.
any idea, why it is taking 10-minutes to auth ?
10-23-2012 12:16 PM
Hi Imran. I am doing some reading/research in preparation for implementing 802.1X/ISE on our network. I think the reason you are seeing a delay is that by default your settings are looking for dot1x authentication first and only if the ACS receives no response to the EAP requests will MAB kick in. So, I think you need to adjust your EAP authentication times and/or change the authentication order so that it checks MAB first then dot1x.
10-24-2012 04:44 AM
Hello Inayat,
Yes you were right. i changed the auth-timeouts, and it is authenticating MAB-clients very fast.
Thank you for your support
I need a user-guide on how to Setup Authentication for Wireless users, we have agentfull and agentless wireless-hosts (having Iphones...). so the authentication methods will be md5, eap-tls and mab.
I will use (LinkSys-Wireless Router) as the authenticator for wireless-hosts ?
I need a user-guide for how to setup the wireless-hosts( supplicants) and how to setup Link-Sys and the Cisco-Switch in the middle. if you have any link, plz refer me
10-25-2012 04:46 AM
Hi Imran,
The best step by step documentation guide I have found for implementing 802.1X/ISE is here:
http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
Hope that helps.
rgrds,
inayat
07-15-2013 01:50 AM
This is the sample configuration you need to have on switch interface for MAB to work
interface GigabitEthernet0/1
description IP Phone + PC
switchport access vlan 10
switchport mode access
switchport voice vlan 40
ip access-group ACL-ALLOW in
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide