Thanks, this is realy what I was looking for!!! Damn, it was hard to find if you don't know the exact name of the feature: "mac bypass authentication"

Hi Ben

Can i just say there are a lot of unknowns and a lot of tweaking required with this technology. For example the MAB feature is a fail back to 802.1x so you need to play around with the timers to get the MAB to kick in straight away. If you dont then the pc will fail to get a ip address. That is one of a long list of possible issues.

Do you know how pcs you are planning on using this with??

Matt

Let me try to de-mystify this for you.

1) This serves as a supplemental authentication technique today in the absence of 802.1X on the client machine. In the future (very soon actually) you will be able to enable MAC-Auth thru RADIUS independent from 802.1X.

2) Today, this is based on an 802.1X timeout (ask for 1X identity, no response, then check the MAC). As checking a MAC is much less secure than 1X, this explains why the switch is allowing next to nothing while it's looking for 1X. It can't even learn the MAC of the client, nor should it.

3) After 1X timeout, machine has to transmit traffic for the switch to learn the MAC (remember it cannot learn it while looking for 1X).

4) After 1X has timed out, and a MAC is learned, the MAC is authenticated thru RADIUS.

5) By default, the 802.1X timeout is 90-sec. You can tweak it down to 2-sec.

There is no silver bullet recommendation here, but the easiest is certainly a quick timeout for 802.1X. Today, it's sort of like hiring a security guard for the lobby in your building. Well, what do you do for people that don't have badges (yet)? There's no right answer, and it depends on how much control you need this security guard to have vs. how it impacts your business.

Hope this help a little,

Hi Jason

Could you tell me abit more about the the mac-auth through radius?? Like when we should expect that?

Also would you say that MAB would work ok for large deployments like 500+ PCs?

Are you wanting to know when it will be available as a standalone authentication method independent from 802.1X?

You can think about MAB as a RADI-ized version of port-security that promotes authentication. The primary thing today is that it accompanies an 802.1X deployment.

Let me know more when you get a chance,

Yes would like to know when its going to be a standalone feature.

Matt

It's actually available today for CatOS on the 6500. For IOS, the first place you'll see it is in on a 6500 in the next major release. I would ask that you contact your local account team for roadmap specifics if that's OK.

No problem jason. Im currently working with a college on deploying mac authentication well its more of a hybrid of both and it would be a lot easier to deploy i think as a standalone feature rather than trying to play around with all the dot1x timers.

Another problem i have is trying to get them to buy into cisco as HP switches support mac authentication as standard.

Understood. Not counting the 1X timeout, this should run without incident today though. Here's a port config that enables 1X, MAB, along with a 3-sec timeout:

interface GigabitEthernet1/0/11

description client-machine

switchport access vlan 2

switchport mode access

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x timeout tx-period 1

spanning-tree portfast

spanning-tree bpduguard enable

What's gonna happen here is that every time you plug in something not enabled for 1X, the MAB process will kick in 3-sec after the link comes up (i.e after 1X timeout). Once more machines are enabled for 1X, this is flexible to handle it as you may want both techniques enabled anyway.

Hope this helps a little,

Thanks jason for the sample config. Looks pretty much the same as to what i have configured.

One other thing what happens if the switch restarts for what ever reason. How does the switch react to this sort of thing? Does it reauth all ports at once?? Havent been able to test this yet.

matt