Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4639
Views
0
Helpful
6
Replies

mab request format

bwedel1234
Level 1
Level 1

‎05-20-2013 11:12 AM - edited ‎03-10-2019 08:26 PM

We are getting our cisco switches up and running with 802.1x and mab.  We have some other switches from another vendor that have been working great with our radius server (Microsoft NPS).  Our problem we are having is that cisco sends the mac address for mab in lower case, while the other switch and our AD accounts are al in upper case. 

Is there a way to have the cisco switch (2960) send the mac in upper case or does anyone know of a way to have the NPS server check for both ways (although that really isn't what we want).

Thanks

Labels:
0 Helpful
6 Replies 6

Jatin Katyal
Cisco Employee
Cisco Employee

‎05-20-2013 12:24 PM

By  default, the Access-Request message is a Password Authentication  Protocol (PAP) authentication request, The request includes the source  MAC address in three attributes: Attribute 1 (Username), Attribute 2  (Password), and Attribute 31 (Calling-Station-Id). Although the MAC  address is the same in each attribute, the format of the address  differs. This feature is important because different RADIUS servers may  use different attributes to validate the MAC address. Some RADIUS  servers may look at only Attribute 31 (Calling-Station-Id), while others  will actually verify the username and password in Attributes 1 and 2.


RADIUS Attribute


Format


Example


1 (Username)


12 hexadecimal digits, all lowercase, and no punctuation


0018f809cfd7


2 (Password)


Same as the username but encrypted


\xf2\xb8\x9c\x9c\x13\xdd#,\xcaT\xa1\xcay=&\xee


31(Calling-Station-Id)


6 groups of 2 hexadecimal digits, all uppercase, and separated by hyphens


00-18-F8-09-CF-D7

Because MAB uses the MAC address as a username and password, you should make sure that the RADIUS server can differentiate MAB requests from other types of requests for network access.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

bwedel1234
Level 1
Level 1
In response to Jatin Katyal

‎05-20-2013 01:25 PM

Thanks for the reply Jatin.

The reason why I want to find out of if it's possible to change the way the swtich passes the mac is that I don't want to have to add all of our phone mac addresses (about 2600) twice into AD.  Once with upper case and once with lower case in order for it to work.  So from the sound of your reply.  It sounds like you can't change the letters from lower case to upper case.  Is that correct?

Thanks again!

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to bwedel1234

‎05-21-2013 12:27 PM

Uw !!! I couldn't find a way /command to convert the case and send it to radius server.

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

bwedel1234
Level 1
Level 1
In response to Jatin Katyal

‎05-22-2013 05:15 AM

Again, thanks for the help Jatin.

Yep, this is really annoying.  

The one thing that is holding back this project from going live is the capital letters. 

I think we'll probably move away from mab and try eap-tls through cucm.

-blake

0 Helpful

manjeets
Level 3
Level 3

‎07-12-2013 07:39 AM

Kindly review the attachment:

       and the link:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html

Preview file
216 KB
0 Helpful

manjeets
Level 3
Level 3

‎08-28-2013 06:12 AM

Kindly review the attached :

Preview file
132 KB
0 Helpful
Customers Also Viewed These Support Documents