Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1408
Views
0
Helpful
4
Replies

MAC Authentication bypass on ACS 5.1

sidcracker
Level 1
Level 1

‎03-07-2011 09:05 PM - edited ‎03-10-2019 05:53 PM

Hello,

I am very new to the 802.1x world. The customer wants to configure MAC Authentication bypass. Now for configuring MAB, I am aware that they should be already be having 802.1x in their network.

I have read a couple of documents pertaining to the Switch side to configure MAB. I am not so sure about the ACS side.

Can some outline the prerequisites to configure MAB on the ACS as well as the switch?

Thanks

Shyam

Labels:
0 Helpful
4 Replies 4

Nicolas Darchis
Cisco Employee
Cisco Employee

‎03-07-2011 10:49 PM

On recent IOS, MAB is a different thing than dot1x. You can have ports simply doing MAB with no dot1x involved.

On the  ACS, there is no "prerequisite".

You can differentiate MAB authentication from other authentication in ACS because MAB has the "service-type" radius attribute equal to "10". This identifies it as a mab.

Nicolas

0 Helpful

sidcracker
Level 1
Level 1
In response to Nicolas Darchis

‎03-08-2011 12:11 AM

Hello Nicholas,

For the switch config, is it something like this

aaa new-model
aaa authentication login default none
aaa authentication dot1x default group radius
aaa authorization network default group radius

interface FastEthernet0/18
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x timeout reauth-period 7200
dot1x reauthentication
end

What should I be doing on the ACS 5.1 part?

Do we just need to configure an access services called MAB and define the indentity groups for them? From where do I define all the MAC addresses on the ACS?

I dont have the ACS to play around right now, So i am trying to imagine how this is going to all work when I visit the client. I would really appreciate if someone could take a little time to give a step by step procedure of the config in ACS with Radius.

Currentlty I am just looking for MAB only on certain switch ports connected to desktops. 802.1x is not enabled on the network.

Thanks

Shyam

0 Helpful

sidcracker
Level 1
Level 1
In response to sidcracker

‎03-14-2011 01:32 AM

Hello,

Can anyone answer this please?? I am desperate for a solution to configure MAB as I am not sure what to configure on the ACS Radius attributes and also the service policies

Thanks

Shyam

0 Helpful

Bastien Migette
Cisco Employee
Cisco Employee
In response to sidcracker

‎03-14-2011 06:08 AM

Hello Shyam,

when using mab, the switch will send radius authentication using the mac address as both username & password to the ACS. On the ACS Side, you can just create users with macaddress as username and password, in lowercase like this: aabbccddeeff

if you want special profile for users using MAB as authentication method, you can define an authorization profile and as suggested Nicolas, in the service selection rule, match the service-type attribute.

0 Helpful
Customers Also Viewed These Support Documents