This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have a question if some one can help me;
I want to impliment MAB authentication (base on MAC addresse) in my network because some of my equipment don't support 802.1x;
when the equipment that I plug on the Switch is authenticated there is no problem he can get an IP @from the DHCP server that's OK.
now my question is; when the equipment is not authenticated I want him to passe in another VLAN (as resticted VLAN) or make some restriction via ACL, is that possible with MAB ??
Which AAA server are you using?
With ISE and/or ACS, you can have a default policy putting everyone who has not been authenticated to a specific vlan with limited access (guest vlan).
Or through switches, on port configuration, you can use the command authentication event fail that will put users on dedicated vlan with limited access with an option that's telling put in this vlan only when their authentication have failed after 3 attempts.
Hope this is what your were looking for.
thanks for your replay;
I'm using RadL as AAA server; please I think that I misse some thing; should I mak the port in a VLAN for normal Access (switchpor access vlan X) and make the commande (authentication event fail action authorize vlan Y) ?
You have to set a default vlan whith limited access for all users before they get authenticated. If authentication is ok, radius will push a new vlan and/or an acl as well.
If authentication failed, then you can push another vlan for guest or remediation purpose.
The default vlan will allow only dns, dhcp and radius access in order to try to authenticate users.
thank you so much for your help and time
here is the conf in the interface:
Switch#sh run int fa1/0/13
Current configuration : 284 bytes
switchport access vlan 2
switchport mode access
authentication event fail action authorize vlan 3
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 3
is that correct ?
Don't forget those 2 commands in order to choose the order and priority of authentication type you want on each ports:
authentication order dot1x mab
authentication priority dot1x mab