Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
0
Helpful
5
Replies

MAB Configuration Issue

Imran Ahmad
Level 2
Level 2

‎10-21-2012 08:21 AM - edited ‎03-10-2019 07:42 PM

with acs 4.2 installed in my network,   PEAP, EAP-TLS, md5... authentications work normally.  But Mac-Based-Authentication   doesnt work at all.  i tested every thing but no luck .

This is what i have setup on Swith for MAB:

aaa new-model

aaa authentication login default none

aaa authentication dot1x default group radius

radius-server host 192.168.2.16 auth-port 1645 acct-port 1646 key cisco

!

dot1x system-auth-control

!

interface FastEthernet0/1

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x mac-auth-bypass

On ACS server, i created Netword-Profile for MAB, i added those Agentless hosts mac-adds,   Even i created User-Name&password by those Agentless hosts mac-adds on acs,   ..... still nothing seems to be working.   i have selected ACS_Internal-Database for mac authentication.

On ACS while i check the   Failed-attempt log, nothing is logged there.  i dont know where is the issue.

Please tell me where im wrong on my config?

Labels:
0 Helpful
5 Replies 5

Imran Ahmad
Level 2
Level 2

‎10-23-2012 12:56 AM

After long investigation,  i found that   Agentless hosts are authenticated but  after 10-minutes.    i mean it takes  arround  10-minutes to authenticate    agentless hosts .     any expert knows where is the issue ????

But with other authentication methods like  peap, eap-tls  my acs works/authenticates very fast.

any idea, why it is taking 10-minutes to auth ?

0 Helpful

Inayat Bunglawala
Level 1
Level 1
In response to Imran Ahmad

‎10-23-2012 12:16 PM

Hi Imran. I am doing some reading/research in preparation for implementing 802.1X/ISE on our network. I think the reason you are seeing a delay is that by default your settings are looking for dot1x authentication first and only if the ACS receives no response to the EAP requests will MAB kick in. So, I think you need to adjust your EAP authentication times and/or change the authentication order so that it checks MAB first then dot1x.

0 Helpful

Imran Ahmad
Level 2
Level 2
In response to Inayat Bunglawala

‎10-24-2012 04:44 AM

Hello Inayat,

Yes you were right.   i changed the  auth-timeouts, and it is authenticating MAB-clients very fast. 

Thank you for your support

I need a user-guide on how to Setup Authentication for Wireless users,  we have agentfull and agentless wireless-hosts (having Iphones...).   so the authentication methods will be  md5, eap-tls and  mab.

I will use  (LinkSys-Wireless Router)  as the authenticator for wireless-hosts ?       

I need a user-guide for  how to setup the wireless-hosts( supplicants)  and how to setup  Link-Sys  and the Cisco-Switch in the middle.     if you have any link, plz refer me

0 Helpful

Inayat Bunglawala
Level 1
Level 1
In response to Imran Ahmad

‎10-25-2012 04:46 AM

Hi Imran,

The best step by step documentation guide I have found for implementing 802.1X/ISE is here:

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

Hope that helps.

rgrds,

inayat

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎07-15-2013 01:50 AM

This is the sample configuration you need  to have on switch interface for MAB to work

interface GigabitEthernet0/1
description  IP Phone + PC
switchport access vlan 10
switchport mode  access
switchport voice vlan 40
ip access-group ACL-ALLOW  in
authentication host-mode multi-auth
authentication  open
authentication order mab dot1x
authentication priority dot1x  mab
authentication port-control auto
authentication  periodic
authentication timer reauthenticate server
mab
dot1x pae  authenticator

0 Helpful
Customers Also Viewed These Support Documents