MAC authentication bypass missing

allthisforwhat · ‎03-13-2023

A customer of mine has bought some CBS250 switches because they want to migrate away from Aruba. Their old switches are setup for 802.1x with fallback to MAB. The option to use MAB seems to be missing on CBS250. It was available on the SG250 according to the documentation, so that seems like a bit of a regression. Am I missing something or has the feature indeed been dropped?

balaji.bandi · ‎03-13-2023

as per the admin guide it supported : (page 300) - may check the latest firmware update and check (if not upgraded already)

https://www.cisco.com/c/en/us/td/docs/switches/lan/csbms/CBS_250_350/Administration-Guide/cbs-250-ag.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

allthisforwhat · ‎03-13-2023

Thanks for the quick response. That was my reading as well, but when comparing the commands available on the 250 (running newest firmware) vs 350 (not even on the newest version) reveals that something is missing.

The top picture is from a 350 and in the interface context it gives the option for the "dot1x authentication" command and the ability to chose between the different methods.

The lower image is from a 250 where the "dot1x" command is present but the "authentication" part is missing. Certificate-based authentication is indeed running and works, but MAB doesn't.

Martin Aleksandrov · ‎03-14-2023

Hi,

MAB or MAC authentication bypass is not a supported feature on CBS switches.

allthisforwhat · ‎03-14-2023

I beg to differ. As shown in the screenshot it is running on the CBS 350 model, and according the the documentation linked by balaji.bandi, it is mentioned as a supported feature on CBS 250 as well. Missing features is a problem, because I (a Cisco partner) look like an idiot when I recommend Cisco gear to a client, while I could not have imagined that features from the SG series had been removed.

Martin Aleksandrov · ‎03-14-2023

Hi,

Where it is mentioned as a supported feature in CBS250? Where in page 300 from the ag https://www.cisco.com/c/en/us/td/docs/switches/lan/csbms/CBS_250_350/Administration-Guide/cbs-250-ag.pdf it is mentioned for a MAC Authentication Bypass?

The screenshot is showing just the MAC-based authentication which has nothing to do with the MAB. MAB is supported by Cisco IOS https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-config-mab.html#GUID-85A51579-965E-45BD-8250-C527DD3DB83C

allthisforwhat · ‎03-14-2023

We are getting a bit into semantics here. I'm aware that MAB is the term used in Cisco classic equipment, but I used it as a shorthand for MAC authentication done via RADIUS which is what we need.

So to put it another way: How does one configure the MAC authentication feature mentioned on page 300 in the CBS250 configuration guide?

allthisforwhat · ‎03-17-2023

Any ideas on how to configure the feature?