05-25-2015 10:56 AM - edited 03-10-2019 10:45 PM
we have dot1x and MAB features implemented in a Juniper infrastructure where we can bypass non dot1x devices using local database in the switches themselves.
now we will migrate to cisco and need to deploy the same mab scenario locally on the switches without the need for radius for mab authentication.
how can this be done ?
Note : Juniper command as below
set protocol dot1x authenticator static xx:xx:xx:xx:xx:xx
where the xx:xx:xx:xx:xx:xx is the mac required to bypass
05-25-2015 12:58 PM
Hi Sherif,
You will need the RADIUS server and mac address list created on it for MAB to work as a fall back method or standalone MAB.
More details can be found at:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-config-mab.html
Regards,
Kanwal
Note: Please mark answers if they are helpful.
05-25-2015 01:18 PM
Hi FNU,
Actually we use Microsoft NAP for authentication with active directory,and it's not logical to create more than 500 account in active directory with our devices mac-addresses as a username and a password to be authenticated!!
Juniper is smart on this as we can easily match of the OUI part of the mac addresses locally on the switch and keeping the NAP only for dot1x authentication.
I hope there will be a similar method for that on cisco
05-25-2015 01:36 PM
Hi Sherif,
I don't see such an option available. You would need Radius server or LDAP or AD integrated with switch/router for MAB to work. I don't see an option to define local MAC-ADDRESS list on switch/router itself.
May be some one has ideas for an easy way to import/create the Mac-address DB on AD.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
05-26-2015 12:08 AM
Hi Fnu,
can we apply this situation using microsoft NAP and AD but without creating this bulk of accounts (mac address as a username and password) ??
It's really strange that something like that is not available on cisco as a leader for the switching market !!!
05-27-2015 08:05 AM
it's done , noway to do it from Cisco switch itself .
can be done from Microsoft NAP to accept these account without authentication and provide Vlan directly
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide