cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

468
Views
5
Helpful
5
Replies
Highlighted
Beginner

MAC Authentication Bypass authentication

Hi all;

I have a question if some one can help me;

I want to impliment MAB authentication (base on MAC addresse) in my network because some of my equipment don't support 802.1x;

when the equipment that I plug on the Switch is authenticated there is no problem he can get an IP @from the DHCP server that's OK.


now my question is; when the equipment is not authenticated I want him to passe in another VLAN (as resticted VLAN) or make some restriction via ACL, is that possible with MAB ??

thank's .

M.Benchabane

5 REPLIES 5
Highlighted
VIP Mentor

Hi

Which AAA server are you using?

With ISE and/or ACS, you can have a default policy putting everyone who has not been authenticated to a specific vlan with limited access (guest vlan).

Or  through switches, on port configuration, you can use the command authentication event fail that will put users on dedicated vlan with limited access with an option that's telling put in this vlan only when their authentication have failed after 3 attempts.

Hope this is what your were looking for.

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

Hi 

thanks for your replay;

I'm using RadL as AAA server; please I think that I misse some thing; should I mak the port in a VLAN for normal Access (switchpor access vlan X) and make the commande (authentication event fail action authorize vlan Y) ?

thanks.

Highlighted

You have to set a default vlan whith limited access for all users before they get authenticated. If authentication is ok, radius will push a new vlan and/or an acl as well. 

If authentication failed, then you can push another vlan for guest or remediation purpose. 

The default vlan will allow only dns, dhcp and radius access in order to try to authenticate users. 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted

thank you so much for your help and time

here is the conf in the interface:

Switch#sh run int fa1/0/13
Building configuration...

Current configuration : 284 bytes
!
interface FastEthernet1/0/13
switchport access vlan 2
switchport mode access
authentication event fail action authorize vlan 3
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
end

!

is that correct ?

Highlighted

Yes.

Don't forget those 2 commands in order to choose the order and priority of authentication type you want on each ports:

 authentication order dot1x mab
 authentication priority dot1x mab


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Content for Community-Ad