Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1064
Views
1
Helpful
7
Replies

MAC authentication bypass missing

allthisforwhat
Level 1
Level 1

‎03-13-2023 05:34 AM

A customer of mine has bought some CBS250 switches because they want to migrate away from Aruba. Their old switches are setup for 802.1x with fallback to MAB. The option to use MAB seems to be missing on CBS250. It was available on the SG250 according to the documentation, so that seems like a bit of a regression. Am I missing something or has the feature indeed been dropped?

Labels:
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎03-13-2023 06:00 AM

as per the admin guide it supported : (page 300)  - may check the latest firmware update and check (if not upgraded already)

https://www.cisco.com/c/en/us/td/docs/switches/lan/csbms/CBS_250_350/Administration-Guide/cbs-250-ag.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

allthisforwhat
Level 1
Level 1

‎03-13-2023 06:37 AM

Thanks for the quick response. That was my reading as well, but when comparing the commands available on the 250 (running newest firmware) vs 350 (not even on the newest version) reveals that something is missing. 

The top picture is from a 350 and in the interface context it gives the option for the "dot1x authentication" command and the ability to chose between the different methods.

The lower image is from a 250 where the "dot1x" command is present but the "authentication" part is missing. Certificate-based authentication is indeed running and works, but MAB doesn't.

Capture350.JPGCapture250.JPG

0 Helpful

Martin Aleksandrov
Cisco Employee
Cisco Employee

‎03-14-2023 02:07 PM

Hi,

MAB or MAC authentication bypass is not a supported feature on CBS switches.

 

0 Helpful

allthisforwhat
Level 1
Level 1
In response to Martin Aleksandrov

‎03-14-2023 03:16 PM

I beg to differ. As shown in the screenshot it is running on the CBS 350 model, and according the the documentation linked by balaji.bandi, it is mentioned as a supported feature on CBS 250 as well. Missing features is a problem, because I (a Cisco partner) look like an idiot when I recommend Cisco gear to a client, while I could not have imagined that features from the SG series had been removed. 

0 Helpful

Martin Aleksandrov
Cisco Employee
Cisco Employee
In response to allthisforwhat

‎03-14-2023 09:52 PM

Hi, 

Where it is mentioned as a supported feature in CBS250? Where in page 300 from the ag https://www.cisco.com/c/en/us/td/docs/switches/lan/csbms/CBS_250_350/Administration-Guide/cbs-250-ag.pdf it is mentioned for a MAC Authentication Bypass? 

The screenshot is showing just the MAC-based authentication which has nothing to do with the MAB. MAB is supported by Cisco IOS https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-config-mab.html#GUID-85A51579-965E-45BD-8250-C527DD3DB83C

 

0 Helpful

allthisforwhat
Level 1
Level 1
In response to Martin Aleksandrov

‎03-14-2023 11:33 PM

We are getting a bit into semantics here. I'm aware that MAB is the term used in Cisco classic equipment, but I used it as a shorthand for MAC authentication done via RADIUS which is what we need. 

So to put it another way: How does one configure the MAC authentication feature mentioned on page 300 in the CBS250 configuration guide?

0 Helpful

allthisforwhat
Level 1
Level 1

‎03-17-2023 05:52 AM

Any ideas on how to configure the feature?

0 Helpful
Customers Also Viewed These Support Documents