MAC authentication bypass missing

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2023 05:34 AM
A customer of mine has bought some CBS250 switches because they want to migrate away from Aruba. Their old switches are setup for 802.1x with fallback to MAB. The option to use MAB seems to be missing on CBS250. It was available on the SG250 according to the documentation, so that seems like a bit of a regression. Am I missing something or has the feature indeed been dropped?
- Labels:
-
Small Business Switches
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2023 06:00 AM
as per the admin guide it supported : (page 300) - may check the latest firmware update and check (if not upgraded already)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2023 06:37 AM
Thanks for the quick response. That was my reading as well, but when comparing the commands available on the 250 (running newest firmware) vs 350 (not even on the newest version) reveals that something is missing.
The top picture is from a 350 and in the interface context it gives the option for the "dot1x authentication" command and the ability to chose between the different methods.
The lower image is from a 250 where the "dot1x" command is present but the "authentication" part is missing. Certificate-based authentication is indeed running and works, but MAB doesn't.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2023 02:07 PM
Hi,
MAB or MAC authentication bypass is not a supported feature on CBS switches.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2023 03:16 PM
I beg to differ. As shown in the screenshot it is running on the CBS 350 model, and according the the documentation linked by balaji.bandi, it is mentioned as a supported feature on CBS 250 as well. Missing features is a problem, because I (a Cisco partner) look like an idiot when I recommend Cisco gear to a client, while I could not have imagined that features from the SG series had been removed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2023 09:52 PM
Hi,
Where it is mentioned as a supported feature in CBS250? Where in page 300 from the ag https://www.cisco.com/c/en/us/td/docs/switches/lan/csbms/CBS_250_350/Administration-Guide/cbs-250-ag.pdf it is mentioned for a MAC Authentication Bypass?
The screenshot is showing just the MAC-based authentication which has nothing to do with the MAB. MAB is supported by Cisco IOS https://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-config-mab.html#GUID-85A51579-965E-45BD-8250-C527DD3DB83C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2023 11:33 PM
We are getting a bit into semantics here. I'm aware that MAB is the term used in Cisco classic equipment, but I used it as a shorthand for MAC authentication done via RADIUS which is what we need.
So to put it another way: How does one configure the MAC authentication feature mentioned on page 300 in the CBS250 configuration guide?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2023 05:52 AM
Any ideas on how to configure the feature?
