Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
30040
Views
36
Helpful
1
Replies

What is Difference b/w dot1x authentication & MAB authentication ?

Murali Dharan
Level 1
Level 1

‎02-06-2016 08:03 AM - edited ‎03-08-2019 04:30 AM

I could see both MAB & Dot 1x authenticates thru' Radius server. 

Raduis server has the MAC directories and it assigns a appropriate VLAN for the respective MAC. 

According to me, the difference is only with protocols they use. 

In our environment we use mab as a fallback for dot1x.

What i want to know is ?

1. Why have we moved from MAB to dot1x.

2. How is dot1x better than MAB.

3. Can cisco phones authenticate with dot1x. It usually authenticates only with MAB.

4. What does dot1x do differently in raduis server that MAB does not. 

5. Can cisco phone allow a computer connected to it to authenticate with dot1x with phone authenticates only with MAB assuming we have new model cisco phones which supports dot1x.

6. With the below configuration, will the phone connected to this port authenticate with dot1x. The reason why i m asking this, phone is already assigned with correct vlan in the switch config itself.

7. In new model cisco phones, we have option to disable/enable dot1x. what does this actually do? Why is this option for.

please find the same config on the switch port. 

switchport access vlan 1
switchport mode access
switchport voice vlan 4
srr-queue bandwidth share 4 4 60 20
srr-queue bandwidth shape 4 0 0 0
authentication event fail action authorize vlan 99
authentication event no-response action authorize vlan 99
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 1
spanning-tree portfast
service-policy input qp_store_in

Labels:
0 Helpful
1 Reply 1

jonathan.cuthbert
Level 5
Level 5

‎12-17-2016 08:01 AM

1. Why have we moved from MAB to dot1x.

That is a difficult question to answer without knowing the scope and business needs of your deployment.  802.1x provides better security.

2. How is dot1x better than MAB.

We could spend a lot of time discussing the underlying protocols and messages.  This would take quite some time.  The short version is this:

MAB uses the endpoint's (the device requesting network access) MAC address as the identity.

802.1x can use many different things for identity: Username / password, smart cards, certificates. 

MAC addresses are very easy to spoof with almost no technical knowledge. 

A properly deployed EAP-TLS environment is very difficult to penetrate.  It uses certificates for identity.  Both the endpoint and the AAA server must authenticate each other.  Assuming you have set your certs to be non-exportable, access to this network would require a compromised endpoint. (All things being equal).

3. Can cisco phones authenticate with dot1x. It usually authenticates only with MAB.

Not enough information is provided to effectively answer that question.  It depends on the phone. 

Newer phones support certificates.  Here is a list from 2014 for example.

You will need to check your phone's documentation.

4. What does dot1x do differently in raduis server that MAB does not. 

802.1x provides some real security.  MAB is really best effort.  Because MAC addresses can be spoofed, MAB only provides the smallest level of security to your network.  However, you can strengthen your overall security posture by using the least privilege strategy.  If a MAC address was spoofed and a malicious device gains access to your network, they would have the smallest amount of actual network access. 

From the white paper "This strategy allows users to only access information that is legitimate to their purpose."

5. Can cisco phone allow a computer connected to it to authenticate with dot1x with phone authenticates only with MAB assuming we have new model cisco phones which supports dot1x.

If you use the correct host mode on your switchport, the phone will authenticate to the voice domain and the computer behind the phone will authenticate to the data domain.  This process will happen separately of each other.

Switch(config-if)# authentication host-mode multi-domain

6. With the below configuration, will the phone connected to this port authenticate with dot1x. The reason why i m asking this, phone is already assigned with correct vlan in the switch config itself.

Not enough information is provided.  It depends on if your phone supports 802.1x.  Please consult the manual for your model of phone.

7. In new model cisco phones, we have option to disable/enable dot1x. what does this actually do? Why is this option for.

Without additional details about your deployment, such as phone model number, no real answer can be provided.

Customers Also Viewed These Support Documents