Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
0
Helpful
1
Replies

Switchport Control MAB - Vmware workstation

Yannick Vranckx
Level 2
Level 2

‎05-16-2017 12:29 AM - edited ‎03-08-2019 10:35 AM

Hello Guys,

I have a question that has been bugging me. We have LAN site that does not have full dot1x but we do authenticate via MAB.

So we add the mac-address of the host into the ACS and the MAB on the port will check the MAC, if it fails you will enter the guest vlan.

Now we have a question from some users to use Vmware Workstation, but the trivial comes in the security measurements. We are not allowed to use the NAT mode on Vmware workstation, we must use bridged mode. So in this scenario both the MAC of the Host and the VM will be shown at the switchport level in my point of view.

How will MAB react to this?

This is the configuration of the port:

!
interface GigabitEthernet2/22
description *** User port ***
switchport mode access
power inline never
authentication event no-response action authorize vlan 200
authentication port-control auto
mab
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
ip verify source vlan dhcp-snooping

!

I have checked the design guide of MAB but was not able to retrieve something.

Labels:
0 Helpful
1 Reply 1

willwetherman
Spotlight
Spotlight

‎05-16-2017 02:01 AM

Hi,


By default, MAB only allows a single endpoint per port and any additional endpoints (MAC addresses) that are seen on the port will cause a violation. This behaviour can be changed by altering the MAB host mode on the port.


The following is from the MAB deployment guide.

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/MAB/MAB_Dep_Guide.html

Single-Host Mode


In single-host mode, only a single MAC or IP address can be authenticated by any method on a port. If a different MAC address is detected on the port after a endpoint has authenticated with MAB, a security violation is triggered on the port. This is the default behavior.


Multidomain Authentication Host Mode


Multidomain authentication was specifically designed to address the requirements of IP telephony. When multidomain authentication is configured, two endpoints are allowed on the port: one in the voice VLAN and one in the data VLAN. Either, both, or none of the endpoints can be authenticated with MAB. Additional MAC addresses trigger a security violation.


Multi-Authentication Host Mode


If the port is configured for multi-authentication (multi-auth) host mode, multiple endpoints can be authenticated in the data VLAN. Each new MAC address that appears on the port is separately authenticated. Any, all, or none of the endpoints can be authenticated with MAB. Multi-auth host mode can be used for bridged virtual environments or to support hubs.


Multihost Mode


Unlike multi-auth host mode, which authenticates every MAC address, multihost mode authenticates the first MAC address and then allows an unlimited number of other MAC addresses. Because of the security implications of multihost mode, multi-auth host mode typically is a better choice than multihost mode.


In your scenario you will either need to configure multi-authenticated host mode or multihost mode to allow both the MAC of the host and VM to be authenticated and permitted on the port.


interface GigabitEthernet2/22
 authentication host-mode multi-auth
 or
 authentication host-mode multi-host


I hope that this helps

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card