cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

504
Views
0
Helpful
7
Replies
Highlighted
Beginner

MAC Auth interface config

Hello,

I am looking to configure MAC-Authentication in our switches. Do you have any interface config you can share that is used in the production environment? Below is what I have so far. Am I missing anything or needs to be removed? What about some sort of timeout settings we can use? 

 

interface Gi1/0/1
switchport mode access
switchport access vlan 20
switchport voice vlan 30
authentication control-direction in
authentication event server dead action authorize
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer restart 1
mab
spanning-tree portfast

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

7 REPLIES 7
Highlighted
VIP Mentor

High level your configuration is ok.

 

but if this first-time deployment and testing, i will start with basic config and add more options as move one..since if it is not working you get hard time to what line causing the issue.

 

so start with below :

 

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html

BB
*** Rate All Helpful Responses ***
Highlighted
VIP Engager

Agreeing with @balaji.bandi to start with less, test, and build from there.  Are you planning on allowing both a data and voice device on same port?  Here is a breakdown of the different host modes for a better understanding:

Single-host mode:

In single-host mode, only a single MAC or IP address can be authenticated by any method on a port. If a different MAC address is detected on the port after an endpoint has authenticated with 802.1X, MAB, or Web Authentication, a security violation is triggered on the port. This is the default behavior.

Multi-domain-authentication (MDA) host mode:

MDA was specifically designed to address the requirements of IP telephony in an 802.1X environment. When MDA is configured, two endpoints are allowed on the port: one in the voice VLAN, and one in the data VLAN. Additional MAC addresses trigger a security violation.

Multi-auth host mode:

If the port is configured for multi-auth mode, multiple endpoints can be authenticated in the data VLAN. Each new MAC address that appears on the port is separately authenticated. Multi-auth can be used for bridged virtual environments or to support hubs.

Multi-host mode:

Unlike multi-auth host mode, which authenticates every MAC address, multi-host mode authenticates the first MAC address and then allows an unlimited number of other MAC addresses. Because of the security implications of multi-host, multi-auth is typically a better choice than multi-host.

HTH!

Highlighted
Beginner

thank you both. what would be a simple config as i am new to this?

Highlighted
VIP Mentor

The basic config was available the URL was posted before on other thread (look at the URL Botom of the page)

 

Main this as mentioned by  @Mike.Cifelli  what kind of deployment you have based on that config should go into interface config.

 

here is a good explanation of each one for your reference ( as mentioned go with the basic config build from there)

http://www.network-node.com/blog/2015/12/30/switch-configuration-for-dot1x

BB
*** Rate All Helpful Responses ***
Highlighted

Thank you. I enjoyed reading the document and cleared many questions I had.

I want to follow up on "2.4.6 Inaccessible RADIUS Server". How can I configure the switch to detect if our RADIUS server goes down so we can take action to put clients on same vlans configured on the ports?

Highlighted
VIP Engager

Highlighted
Cisco Employee