Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
514
Views
0
Helpful
5
Replies

mac authentication bypass

sherif safwat
Level 1
Level 1

‎05-25-2015 10:56 AM - edited ‎03-10-2019 10:45 PM

we have dot1x and MAB features implemented in a Juniper infrastructure where we can bypass non dot1x devices using local database in the switches themselves.

now we will migrate to cisco and need to deploy the same mab scenario locally on the switches without the need for radius for mab authentication.

how can this be done ?

Note : Juniper command as below

set protocol dot1x authenticator static xx:xx:xx:xx:xx:xx

where the xx:xx:xx:xx:xx:xx is the mac required to bypass

 

Labels:
0 Helpful
5 Replies 5

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎05-25-2015 12:58 PM

Hi Sherif,

You will need the RADIUS server and mac address list created on it for MAB to work as a fall back method or standalone MAB.

More details can be found at:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-config-mab.html

Regards,

Kanwal

Note: Please mark answers if they are helpful.

 

0 Helpful

sherif safwat
Level 1
Level 1
In response to Kanwaljeet Singh

‎05-25-2015 01:18 PM

Hi FNU,

Actually we use Microsoft NAP for authentication with active directory,and it's not logical to create more than 500 account in active directory with our devices mac-addresses as a username and a password to be authenticated!!

Juniper is smart on this as we can easily match of the OUI part of the mac addresses locally on the switch and keeping the NAP only for dot1x authentication.

 

I hope there will be a similar method for that on cisco 

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to sherif safwat

‎05-25-2015 01:36 PM

Hi Sherif,

I don't see such an option available. You would need Radius server or LDAP or AD integrated with switch/router for MAB  to work. I don't see an option to define local MAC-ADDRESS list on switch/router itself.

May be some one has ideas for an easy way to import/create the Mac-address DB on AD.

Regards,

Kanwal

Note: Please mark answers if they are helpful. 

0 Helpful

sherif safwat
Level 1
Level 1
In response to Kanwaljeet Singh

‎05-26-2015 12:08 AM

 

Hi Fnu,

can we apply this situation using microsoft NAP and AD but without creating this bulk of accounts (mac address as a username and password) ??

It's really strange that something like that is not available on cisco as a leader for the switching market !!!

 

0 Helpful

sherif safwat
Level 1
Level 1
In response to sherif safwat

‎05-27-2015 08:05 AM

it's done , noway to do it from Cisco switch itself .

can be done from Microsoft NAP to accept these account without authentication and provide Vlan directly

0 Helpful
Customers Also Viewed These Support Documents