Solved: PxGrid - Learn MAB Authentication Username

kylerossd · ‎09-30-2022

I have a deployment where I want to learn the MAB username on a Firepower Management Center. I have the FMC connected to AD to pull the users and group, and PxGrid integration completed. I see the passive (AD) and active RADIUS authentications for the VPN. However, I do not see the username (MAC Address) of MAB authentications. That would also be a RADIUS authentication. In this particular case it is the auth method is EAP-PSK. Not sure why we wouldn't see this authentication.

Is there a particular permission I need to add/modify for PxGrid to see these MAC Address usernames?

thomas · ‎10-01-2022

By definition, a MAB (MAC Authentication Bypass) username is the MAC address. The MAC address is used for the password with MAB, too.

To see a username to MAC or IP mapping with pxGrid, you need to have an actual username+password authentication and for that you must use a different EAP protocol (PEAP typically with AD).

I am not aware of EAP-PSK support for ISE so I don't know how it would work at all.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/compatibility_doc/b_ise_sdt_32.html

View solution in original post

thomas · ‎10-01-2022

By definition, a MAB (MAC Authentication Bypass) username is the MAC address. The MAC address is used for the password with MAB, too.

To see a username to MAC or IP mapping with pxGrid, you need to have an actual username+password authentication and for that you must use a different EAP protocol (PEAP typically with AD).

I am not aware of EAP-PSK support for ISE so I don't know how it would work at all.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/compatibility_doc/b_ise_sdt_32.html