Solved: Mac Authentication Bypass (Credential Failure)

D-Tech · ‎07-09-2025

I am attempting to test and eventually implement 802.1x & MAB on my LAN. Currently in the testing phase so I am trying to run MAB by itself. My setup/test procedure is as follows:

End host on Vlan 110, attempting to be authenticated via MAB. Attempting to ping default gateway (Cisco 8000v virtual router) running on an ESXi server. Also on the ESXi server is the FreeRadius Server (on vlan 100 and 110) which is properly set up for authentication with the end host and the switch, router, and all other devices.

I have tried a plethora of different configs:

- I continuously reach the state of Credential failure (CF) after about 20 seconds

- When I run "test aaa group radius <mac address> <mac address> new-code/legacy" The user is authenticated successfully.

- But when I attempt to authenticate "real-time" via a ping from the end host to the router, it always fails.

- I have used "authentication open" and authentication fail event policies to allow pings to reach from end host to router, but that defeats the purpose of the test.

Would love to be pointed in the right direction!

My relevant configs are as follows on the switch: (Cisco 9300, IOS 17.6.6)
Global:
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius local
dot1x system auth-control
aaa authorization console
aaa authorization exec default group radius local
aaa authorization network default group radius local

Interfaces:
interface GigabitEthernet0/0
description Management Interface
vrf forwarding Mgmt-vrf
ip address 192.168.1.4 255.255.255.192
ip access-group INBAND-MGMT in
ip access-group EGRESS out
no shutdown

interface GigabitEthernet1/0/28
description End_Host Eth1
switchport mode access
switchport access vlan 110
authentication port-control auto
mab
authentication periodic
authentication timer reauthenticate 30
spanning-tree portfast
spanning-tree guard root
no shutdown

D-Tech · ‎07-11-2025

It appears the problem had something to do with the way Gi0/0 (Mgmt vrf) was forwarding traffic, upon creating a new “interface vlan 100” ip address 192.168.1.4 255.255.255.192, mab was successful.

View solution in original post

MHM Cisco World · ‎07-09-2025

Debug mab all

If you dont see any debug then virtual lab not support MAB.

Sorry

MHM

wajidhassan · ‎07-09-2025

If you’re getting “Credential Failure” after about 20 seconds but your test aaa group radius works fine, then the issue is most likely with how the switch formats and sends the MAC address during real-time authentication. FreeRADIUS might be expecting the MAC in a specific format, and if it doesn’t match, it will fail. Run debug mab all — if you don’t see anything, it could mean your virtual lab doesn’t support MAB properly, especially common in virtual setups.

Assuming debug output does show, check what MAC format the switch is sending in the RADIUS request using debug radius. Then on your FreeRADIUS server, run it in debug mode with radiusd -X and see what username is coming through and why it’s failing. If it’s a mismatch, adjust the MAC entry format in FreeRADIUS accordingly.

To confirm MAB is even working end to end, you can add DEFAULT Auth-Type := Accept in the users file on FreeRADIUS just to bypass MAC checking temporarily. Also, keep in mind that even if authentication succeeds, the switch might still block access unless the RADIUS server sends back proper VLAN attributes.

Try this and check the debugs again

D-Tech · ‎07-11-2025

It appears the problem had something to do with the way Gi0/0 (Mgmt vrf) was forwarding traffic, upon creating a new “interface vlan 100” ip address 192.168.1.4 255.255.255.192, mab was successful.