Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
895
Views
5
Helpful
4
Replies

VMPS x CISCO MAB (MAC Authentication Bypass)

Go to solution
marcio.tormente
Level 4
Level 4

‎04-15-2015 05:42 AM - edited ‎03-07-2019 11:33 PM

Dear,

 

I saw that Cisco MAB (MAC Authentication Bypass) is a evolution of VMPS, but I couldn't find informations about dynamic VLAN, with VMPS is possible to assign a VLAN using MAC, exemplo if the MAC xxx have to be in the VLAN 10 and the endpoint is conected on port 1 and the MAC, the switch will read a VMPS file to know with VLAN is that MAC and asign there port, if the endpoint change and gos to port 2, there port will be asign to VLAN 10 because the MAX xxx.

With MAB I saw that is possible to asign a VLAN if the MAC is unknown, than this port will be asign to a VLAN that permit only internet access.

I'm worry about mobility, I want that people from a especific departament have the same VLAN does not matter they are, I need the VLAN follow the user, with the VMPS its possible, but with MAB I don't know.

 

Can anyone tell me if MAB can do it or if there is another way?

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎04-15-2015 05:58 AM

With MAB, the mac address of the host is in the radius server which will respond to the switch when queried for authentication on which VLAN it should go, this should return the same vlan ID value all the time. You can get granular with Cisco ACS or ISE, you can specify from a specific switch along with other filters.

This means you have to have this VLAN on every single possible switch the users PC/Laptop/host can get to, otherwise the vlan assignment to the port will fail.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎04-15-2015 05:58 AM

With MAB, the mac address of the host is in the radius server which will respond to the switch when queried for authentication on which VLAN it should go, this should return the same vlan ID value all the time. You can get granular with Cisco ACS or ISE, you can specify from a specific switch along with other filters.

This means you have to have this VLAN on every single possible switch the users PC/Laptop/host can get to, otherwise the vlan assignment to the port will fail.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful

Go to solution
marcio.tormente
Level 4
Level 4
In response to Bilal Nawaz

‎04-15-2015 06:05 AM

Bilal,

 

Let me see if I got it.

In all switches I just have to have all VLANs configured and the ACS or ISE will assignt the port to a VLAN base on MAC, correct? Iven if the host change the port.

 

Thanks

0 Helpful

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni
In response to marcio.tormente

‎04-15-2015 06:18 AM

Yes Exactly. You can specify which vlan to put the mac address in on those radius servers.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Go to solution
marcio.tormente
Level 4
Level 4
In response to Bilal Nawaz

‎04-15-2015 06:23 AM

Thanks Bilal,

 

You help me a lot

 

 

0 Helpful
Customers Also Viewed These Support Documents