Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
870
Views
5
Helpful
5
Replies

MAC Authentication Bypass authentication

mohameddz
Level 1
Level 1

‎06-06-2016 08:35 AM - edited ‎03-10-2019 11:50 PM

Hi all;

I have a question if some one can help me;

I want to impliment MAB authentication (base on MAC addresse) in my network because some of my equipment don't support 802.1x;

when the equipment that I plug on the Switch is authenticated there is no problem he can get an IP @from the DHCP server that's OK.


now my question is; when the equipment is not authenticated I want him to passe in another VLAN (as resticted VLAN) or make some restriction via ACL, is that possible with MAB ??

thank's .

M.Benchabane

Labels:
0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

‎06-06-2016 10:09 AM

Hi

Which AAA server are you using?

With ISE and/or ACS, you can have a default policy putting everyone who has not been authenticated to a specific vlan with limited access (guest vlan).

Or  through switches, on port configuration, you can use the command authentication event fail that will put users on dedicated vlan with limited access with an option that's telling put in this vlan only when their authentication have failed after 3 attempts.

Hope this is what your were looking for.

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

mohameddz
Level 1
Level 1
In response to Francesco Molino

‎06-07-2016 02:30 AM

Hi 

thanks for your replay;

I'm using RadL as AAA server; please I think that I misse some thing; should I mak the port in a VLAN for normal Access (switchpor access vlan X) and make the commande (authentication event fail action authorize vlan Y) ?

thanks.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to mohameddz

‎06-07-2016 04:26 AM

You have to set a default vlan whith limited access for all users before they get authenticated. If authentication is ok, radius will push a new vlan and/or an acl as well. 

If authentication failed, then you can push another vlan for guest or remediation purpose. 

The default vlan will allow only dns, dhcp and radius access in order to try to authenticate users. 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

mohameddz
Level 1
Level 1
In response to Francesco Molino

‎06-07-2016 04:37 AM

thank you so much for your help and time

here is the conf in the interface:

Switch#sh run int fa1/0/13
Building configuration...

Current configuration : 284 bytes
!
interface FastEthernet1/0/13
switchport access vlan 2
switchport mode access
authentication event fail action authorize vlan 3
authentication port-control auto
authentication periodic
mab
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
end

!

is that correct ?

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to mohameddz

‎06-07-2016 05:47 AM

Yes.

Don't forget those 2 commands in order to choose the order and priority of authentication type you want on each ports:

 authentication order dot1x mab
 authentication priority dot1x mab


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents