Solved: SG350x MAB Authentification behind unmanaged switch

theonlybofh · ‎01-23-2022

Hello

I activated the mab radius authentication against a freeradius server on my sg350x.
When I connect a device, the vlan assignment works.
if I connect a switch, then 1 known device is authenticated.
If I now connect an unknown device to this switch, it is authenticated in the same vlan as the known device.

What am I doing wrong?

can the sg350x not do this at all?
what kind of switch would I need for this and what is the function at cisco called?

With best regards

Sven

theonlybofh · ‎01-29-2022

Hello All,

I found the solution.

i must change from Multiple Host (802.1x) tu MultiSession. than will it work.

Thank you all for the help.

-best regards

sven

View solution in original post

balaji.bandi · ‎01-23-2022

If I now connect an unknown device to this switch, it is authenticated in the same vlan as the known device.

how is user method authentication? MAB ?

how is your configuration look like the one unmanaged switch connected port?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

theonlybofh · ‎01-23-2022

Hello Balaji.bandi

The user method authentication is MAB.

This it the mac

F8:75:a4:f9:25:f5 is the unknown device on the same unmanaged switch.

This is my test config in the moment on switch, it tryed Trunk and tagged vlan but the same.

Best regards

Sven

balaji.bandi · ‎01-24-2022

how is your profile in ISE for MAB Authentication, is this OUI based ?

MAB is not a best security authentication, MAB only used where 802.1x suplicant not able to install.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

theonlybofh · ‎01-24-2022

Hello Balaji Bandi,

With ISE Profile I think you mean the oui based in Voice Vlan or?

I know that MAB is not the most secure solution, but I think I should start at the beginning to understand everything and then I can work with certificates to secure.

I have a few changing physical machines that need authentication like this or the mab.

best regards.

sven

balaji.bandi · ‎01-25-2022

With ISE Profile I think you mean the oui based in Voice Vlan or?

it all depends on the requirement :

Only your SG350x - have this support, so based on the port config or is it configured as Trunk - dumb switch do not have control.

so you chosse MAB authentiucation, if the MAC address not in the ISE, as per i know this should reject that node not to authenticate.

But given the model of the switch is small business (not or may be ) like enterprise switch features.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aref Alsouqi · ‎01-29-2022

If I understood correctly, you are trying to connect an unmanaged switch to the SG350, and then connect a device to the unmanaged switch. If I got that right then I think what happens here would be that when you connect the unmanaged switch to the SG350 that would trigger the MAB process to be completed as the SG350 switch port will receive the generated frames from the unmanaged switch. However, when you connect a device to the unmanaged switch, the SG350 wouldn't be aware that there is a new device that has been connected to the unmanaged switch so no new MAB process will be triggered. As a result, this newly connected device to the unmanaged switch will get the same switch port settings that have been already applied to the unmanaged switch.

theonlybofh · ‎01-29-2022

Hello All,

I found the solution.

i must change from Multiple Host (802.1x) tu MultiSession. than will it work.

Thank you all for the help.

-best regards

sven

Aref Alsouqi · ‎01-29-2022

Glad you found the solution, and tbh this is interesting as reading and thinking about that option I would think it would apply more on dot1x sessions rather than MAB.