Solved: Re: Cisco Solution similar to dot1x - Page 2

visitor68 · ‎10-14-2010

Does Cisco have a user authentication solution (like MAC-address based VLANs) that does not use the dot1x methodology?

I mentioned a user-authentication scheme using dot1x and he jabber-jawed about a Cisco solution that does not require a dot1x agent to run on the client machine.

Which Cisco solution offers MAC-address-based authentication and VLAN placement that doesnt use dot1x and does nto require an agent to nbe running on the client machine?

Thanks

visitor68 · ‎10-17-2010

Guys:

I need to be clear on a few things.Please excuse me; I am not being a maniac.

I know that with dot1x, which Cisco switches support, a client (supplicant) can be authenticated, using their username and password, and then placed in a VLAN. The authentication server (RADIUS server) is what is doing the authentication and the placement of a client in a VLAN. OK, simple enough. Got it!

That having been said, what I need is for a client to be placed in a VLAN based on their MAC address, similar to Cisco's old VMPS system. However, whenever I read about dot1x authentication and dynamic VLAN assignment, it is always about authenticating a client based on their username and password (they even show you how to set the supplicant up in Windows), and then doing the VLAN assignment.

I NEVER see anything about VLAN assignment based on MAC address when using dot1x. Does anyone have a document that talks about this?

Sorry to be a BIG pain in the @ss!

Thanks

Peter Paluch · ‎10-17-2010

Hello,

Hey, you're absolutely NOT any pain in wherever These forums are for discussion of exactly this kind so you are most welcome!

To your question: actually, it is already answered in this thread by Wim:

https://supportforums.cisco.com/message/3202912#3202912

There is a functionality called the MAC Authentication Bypass that allows you to authenticate the clients against the RADIUS with their MAC addresses, not with their usernames/passwords. Read about it here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1205506

This being said, in one of the earlier posts, Jon has very correctly pointed out that it is absolutely no problem in today's operating systems to change your MAC address at will, so basing the solution solely on MAC addresses is ... questionable at best from the security perspective. I understand that it is not your choice but your client should be aware of that (perhaps a small demonstration of an employee learning the MAC address of some highly authorized station and modifying his own MAC to impersonate that station and gaining access to the privileged VLAN could do the trick). Sometimes, explanations do not help but practical examples with a little showmanship added to it might just be enough.

Best regards,

Peter

Tiago Antunes · ‎10-18-2010

Hi,

Yes, you can do VLAN assignemt using only the mac address of the machines as authentication data.

As mentioned before you can use MAB (Mac authentication bypass) os the dot1x port, and it will be transparent for the machine connected to the port.

You can connect printers, pcs, etc, that do not have any kind of dot1x supplicant.

The only thing needed is that the switch see traffic from the client so it can learn its mac address.

Then the switch itself will get the mac address and use it as username and password to authenticate the client machine.

On the RADIUS server you have to configure an user with the mac address as username and password. Then you can decide if you want to send VLAn attributes on the access accept so that the port goes to a specific VLAN.

Example: On ACS you create a group named printers. And you configure on this group the vlan attributes (attribute 64,65,81) to return VLAN 100.

You create the pinters accounts using their mac address and assign them to the printers group.

Then every printer that you connect to a dot1x port with MAB enabled, will be authenticated and the port put into VLAN 100.

Hope this helps you.

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

visitor68 · ‎10-19-2010

Folks, thanks again.

I see that Cisco has a solution and its MAB. OK...

What about if I dont want to use a Cisco appliance or solution? Will MAB even work with non-Cisco switches?

Does RADIUS, as an open standard operating within the dot1x architecture, allow for dyanmic VLAN assignment based on MAC addresses?

I think the answer is yes and the way to do it is to use the machine's MAC address as the username and password. I know that MAB uses this approach, but I think it can be the same thing with a general RADIUS deployment. This way you can repurose the username/password authentication behavior of RADIUS to create a dynamic VLAN assignment based on MAC address solution.

Thoughts?

Peter Paluch · ‎10-19-2010

Hello,

In a very general approach, a RADIUS server assigning VLANs dynamically based on stations' MAC addresses is possible if the RADIUS server actually gets to know the client's MAC address. That can happen via two ways: either the MAC is used as the username, or it is included as an additional attribute of a certain type in the Access-Request message sent from a switch towards the RADIUS server. A RADIUS server can provide its answer based on any attribute in the Access-Request message, be it a username or a different field that is "parseable" and comparable to a predefined template value (actually, this depends on particular RADIUS implementation what matching capabilities it provides you with - the FreeRADIUS is very flexible in this aspect).

The ramifications of this should be clear. In usual 802.1X environments, the Access-Request is sent from a switch as a result of EAPOL frame exchange detected on a switchport. If no EAPOL exchange takes place, no communication with the RADIUS server will be performed, so no authentication/DVLAN assignment can be done. The MAB circumvents this by simply waiting for any frame arriving from a connected station, learning the source MAC and constructing an Access-Request message without performing any EAPOL handshake with the PC, using the learned MAC as the username. Thus, it is not an added intelligence of a RADIUS server nor a client's issue; it is solely an intelligence added on the switch (the authenticator). Without a switch able to do this "trick", the RADIUS environment falls back to the EAPOL exchange between the switch and the station to exchange the credentials information.

A different vendor implementation must in essence do a very similar procedure - wait for a frame to arrive, learn the source MAC, and upon learning it, construct an Access-Request message and somehow use the MAC address in this message - either as a username or some other (possible vendor-specific) attribute. The RADIUS server itself is actually not responsible for this - it merely receives the Access-Request message, processes it and responds accordingly. It must be the added intelligence in the switch (the authenticator) that actually acts on behalf of client's MAC address without performing any EAPOL message exchange.

I know I have not given you any definitive answer but I am afraid that there is none. Really, this entire issue depends on whether a particular switch is so intelligent that it can use the client's MAC address without needing the EAP/credentials exchange to talk to the RADIUS server in order to authenticate the station.

Best regards,

Peter

visitor68 · ‎10-19-2010

Peter, thank you very much for that outstanding and thoughtful answer.

My understanding is that dot1x dynamic vlan assignment based on MAC addresses is sort of a bastardized version of dot1x authentication. Leveraging RADIUS, the dot1x architecture solution typically authenticates a user based on their username and password and from there can assign a VLAN.

I also agree that MAC-based VLANs can be difficult to implement in a dot1x world. And MAB and VMPS are really proprietary solutions.

I am trying to convinve the clien tto drop the mac-based dynamic vlan requirement and just assign a VLAN based on typical username and password authentication.

Thanks

Peter Paluch · ‎10-20-2010

Hello,

I am very glad to have helped, and thank you very much for your generous rating!

My understanding is that dot1x dynamic vlan assignment based on MAC
addresses is sort of a bastardized version of dot1x authentication.

Absolutely. I couldn't say it better

I am trying to convinve the clien tto drop the mac-based dynamic vlan
requirement and just assign a VLAN based on typical username and
password authentication.

Very good. Without a special (probably proprietary) functionality on a switch like MAB and/or some special software on a station, assigning dynamic VLANs based just on MAC address in a RADIUS environment is next to impossible.

I even remember a statement from my BCMSN training saying that dynamic VLANs are not consistent with the Cisco's Enterprise Composite Network Model and won't be discussed further. I would generally agree with this. The dynamic nature of these VLANs that essentially "run after their own users" throughout a switched domain brings a level of flexibility but also breaks a lot of recommendations about local VLANs and their best management practices we're used to see in usual two- or three-layer designs.

Best regards,

Peter