Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1276
Views
0
Helpful
6
Replies

802.1x / ACS 5.4 mac authentication

Jonn cos
Level 4
Level 4

‎12-09-2014 12:16 AM - edited ‎03-10-2019 10:15 PM

Hi guys,

I am doing it in a lab so please guide me to understand this concept.

I have Cisco 3560 switch. What i want to achieve is

  1. Any device that connects to port 1 of switch, switch should be able to communicate with 802.1x server, tell it the mac address of  connecting device and assign vlan recieved from the server
  2. The device connecting on port 1 is mainly a printer, or any other device that doesnt support 802.1x agents.

Is there anyway to do it ? or am i going in the wrong direction. Also, i dont think i need MAB here, cause i want to do authentication based on mac.

 

 
Labels:
0 Helpful
6 Replies 6

Jonn cos
Level 4
Level 4

‎12-09-2014 12:39 AM

In the user guide its mentioned that

 

Cisco provides two features to accommodate non-802.1x devices. For example, MAC Authentication
Bypass (Host Lookup) and the Guest VLAN access by using web authentication.

 

But if i have a switch that doesnt support MAB, then what shall i do in that case ?

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Jonn cos

‎12-09-2014 02:46 AM

Yes, MAB is used for devices that do not support 802.1x which is EAPoL (EAP over LAN). If the switch doesn't support MAB then you can configure its ports to automatically authorize devices on a VLAN specified by you. You can accomplish this with the following port command:

authentication event fail action authorize vlan vlan_id

Hope this helps!

 

Thank you for rating helpful posts!

0 Helpful

Jonn cos
Level 4
Level 4
In response to nspasov

‎12-09-2014 03:30 AM

Cant we authenticate devices just using their MAC address and Radius Server ?

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Jonn cos

‎12-09-2014 04:44 AM

Yes you can, it is called MAB :) (Mac Authentication Bypass), which is used for devices that are not capable of performing 802.1x.

0 Helpful

Jonn cos
Level 4
Level 4
In response to nspasov

‎12-09-2014 06:25 AM

Hi Neno,

 

I think i am not clear in my question. I want to do authentication from Radius server using mac address. I dont want to use MAB and the command that you have said, is assigning vlan locally, i want to authenticate device using its mac address. And since my switch doesnt support MAB so leave it out of the equation :-)

Is such a thing possible

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Jonn cos

‎12-09-2014 06:18 PM

Hi Jonn, your question is clear and what I am trying to explain to you is that the authentication method (mac address authentication against Radius) is MAB. That is the method :) If your NAD does not support MAB then you will have to find another method. In the Cisco world, this is done via Radius attribute 6 (Service-Type) which is set to "Call-Check" 

Here the link to Cisco's MAB deployment guide for more technical details:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html

 

Thank you for rating helpful posts! 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents