802.1x: MAC Authentication Bypass

Similar Messages

• Enabling 802.1x and MAC Authentication Bypass on ACS 4.2

  Hi experts,
  I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
  i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
  Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
  ii. If it is possible, any reference that I can check on how to configure this?
  The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
  Hope anyone here could help me on this.
  Thanks very much,
  Daniel

  With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
  Specific info is here:
  <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
  Hope this helps,

• 802.1X Inaccessible Authentication Bypass

  On a 4506-E switch with supervisor engine 6L-E running IOS version 12.2(54)SG1, the command to enable Inaccessible Authentication Bypass is not available.  The interface configuration mode command is supposed to be "dot1x critical". 
  Has it changed to something else in this version of IOS?
  The data sheet for the Cisco Catalyst 4500 Supervisor Engine 6L-E shows this feature is supported (see link below).
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/data_sheet_c78-530856.html

  Hello Prashant
  Can you post the port configurations here ? have you configured the critical port, radius parameters etc, and does the switch recognize that the radius server is down ?
  I think this is more to do with the design of the entire dot1x authentication.. I have tried this in labs and have had tough times, generating these scenarios.. we would hardly able to justify this feature on the network. I think it is highly advisible to have dual radius servers (or even more than 2), and configure the switches with standby radius servers.. I really wouldnt want my network enabled with 802.1x and having issues contacting the radius server.. even though we have options and solutions to overcome it, i wouldnt want too many complications on the 802.1x front..
  Hope this helps.. all the best.. rate replies if found useful..
  Raj

• Windows 2012 r2 802.1X MAC Address bypass configuration

  I am setting up MAB for my environment and I want to make sure I am setting it up correctly, as I see some articles stating there is a reg edit needed and others that don't mention it at all.
  I have Dell PowerConnect switch with 802.1X authentication working for my Domain Computers.
  I now want to allow non-802.1x capable devices to be assigned the correct vlans (Printers, IP Phones, etc).
  I have created a user account in AD for the device, using lowercase MAC Address for the username and password.  
  I have set the switchport to allow MAB
  I have created a NPS Network Policy for one of the devices and assigned the groups it belongs to and set Authentication Method to: Unencrypted (PAP,SPAP).
  I keep receiving this error in the logs "The user attempted to use an authentication method that is not enabled on the matching network policy"
  Does anyone have advice or can direct me to a nice guide/checklist of all the areas that need to be set to allow this to happen?

  You've posted in the Print/Fax forum, but I can see you've also posted in the NAP forum. You'll likely get a better response over there, so maybe you should delete this question in here..
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• 802.1x MAC authentication

  Hi,
  I've been searching for the right solution for my problem on an on for the last week on this forum and other sites. I didn't get a clear answer so here I am posting it:
  Is it possible to do MAC-based authentication and VLAN assignement with 802.1x against a RADIUS server? _I know_ you will give me the VMPS solution wich I have already taken into consideration, but I will rather do it with 802.1x if it is possible for a number of reasons.
  I'm not looking to do port filtering (to allow only one MAC address defined in the switch). The switch should interogate the RADIUS server if the MAC has access and what VLAN should be placed on; all that by means of 802.1x. Can it be done?
  Thanx.
  Gabi.

  Yes, the switch will merely pass the 802.1x from the client to the Radius, the bulk of the configuration is done on the server. At the switch it's called "Using 802.1X with VLAN Assignment". Here is a link on a cat4000 on how to configure 802.1X with VLAN assignment:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_25a/conf/dot1x.htm#wp1142124
  But you can find configuration guid on other platforms through UniverCD:
  http://www.cisco.com/univercd/home/home.htm
  And here is a link on Using a RADIUS Server to Assign Users to VLANs:
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1200/accsspts/b1237ja/i1237sc/s37vlan.htm#wp1038739

• Configure Mac Authentication Bypass (MAB) in ACS 5.1

  Hello,
  I am a newbie in ACS 5.1 and UAC.
  I configured a MAB Access Service, but I get the error in the Radius Monitorring: 15024: PAP is not allowed.
  However, I nowhere configured PAP. Any idea what I do wrong ?
  I did not configure any protocolls, just 'Process Host Lookup'
  Thanks a lot
  Karien

  Hi,
  You can authenticate hosts with ACS internal DB or AD, however please note that if you want to do MAB in AD you need to configure users with the mac address of the machine in the same way you create the users on ACS.
  On the other hand if the goal is to authenticate the hosts with the hostname itself, it is diferent from MAB, and you can use the AD DB if the PCs are registered to the domain, whithout any further configuration on the AD side.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• 802.1x Machine Authentication without AD

  Hello,
  I'm new to 802.1x security, and i'm wondering if it's possible to do windows machine authentication without an active directory?
  Thanks,
  Dan.

  Hi,
  Windows Machine authentication requires machine credentials, and these credentials can only exist on the AD.
  What you can do is authenticate the machine using its MAC address (Mac authentication bypass), and for this you only need to configure mab on the switch, make sure the client do not speak dot1x and create the user with username/password = mac address on the RADIUS server.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• MAC Authentication Bybass

  When using MAC authentication Bypass and a switch is reset because of an upgrade, there is a period of 1 to 2 minutes when the MAB fails after the switch is already back up. Logging in to the switch also fails during this time.Is there a way to get rid of this delay? I need AAA to work right away because this causes users downtime.
  Thanks in Advance,
  Alex Pfeil

  I figured out what was wrong so thank you for stopping by.
  I will publish the config for other people to see.
  Regards,

• 802.1X + MAC

  Hi all,
  Is there any resources that I could refer on if I want to do 802.1x & MAC
  authentication for a particular user via Cisco Secure ACS 4.2? Our
  management would like to have double authentication on the LAN whenever our
  staff wants to connect to network, they will need to authenticate first via
  802.1x and follows by MAC authentication after that. If 802.1x is ok but the
  MAC authentication is failed then, the staff will not even able to connect
  and they need to inform network administrator for help.
  Hopefully any one of you able to give me advices and guide.
  Thanks very much,
  Regards,

  Have you considered machine authentication, with machine access restrictions? If all your end clients are windows based you can leverage a group policy to force machine authentication. On your ACS setting you can enable machine access restrictions and force any client that authenticates with peap or eap-tls to fall under this condition.
  Thanks,
  Sent from Cisco Technical Support iPad App

• 2960 - mac-auth-bypass

  Hello,
  we want to use standalone mac authentication bypass (with freeradius).
  Yesterday we tested it with a catalyst 3750 IOS 12.2(35) and it was working fine! The config on an interface looked like that:
  (config-if)switchport mode access
  (config-if)authentication port-control auto
  (config-if)mab
  (config-if)spanning-tree portfast
  Today we tried to do the same with a catalyst 2960 IOS 12.2(44). I want to configure the interface like on the 3750, but I can't.
  Everytime I write the command "dot1x mac-auth-bypass" (I think this is the correspondent command to "mab") the switch automatically configures "dot1x pae authenticator" and "dot1x violation-mode protect" on the interface. So it looks like that:
  interface GigabitEthernet0/1
  switchport mode access
  dot1x mac-auth-bypass
  dot1x pae authenticator
  dot1x port-control auto
  dot1x violation-mode restrict
  spanning-tree portfast
  If I configure "no dot1x violation-mode protect" the switch accepts the command, but it don't removes the entry from the interface.
  If I configure "no dot1x pae authenticator" the switch removes the whole config from the interface except "switchport mode access" and "spanning-tree...".
  I don't understand what the problem is?! Is it not possible to use mac authentication bypass without dot1x (-> pae command) and violation-mode in this IOS version???
  The violation-mode avoids the contact to the radius server. :-(
  Thank you for your help.
  Greetings Lydia

  Hey,
  1. Does somebody know if you can use standalone MAB with dot1x guest vlan?
  I tried it and the guest vlan was not set. Is it required to configure dot1x with the shortest timeout, so that MAB is starting fast and if it fails, there is the guest vlan.
  2. In the config guide there is a sample configuration for standalone MAB. I'm wondering why they configure "switchport access vlan 40"??? In what situation does this takes affect? Is it like the guest vlan? So, if mab fails, the port is configured with vlan 40???
  interface FastEthernet2/48
  switchport access vlan 40
  switchport mode access
  authentication port-control auto
  mab
  spanning-tree portfast
  spanning-tree bpduguard enable
  Greetings Lydia

• Cisco 1941W configure mac authentication in wireless

  Dear all, 
      Appreciate that anyone know how to configure mac authentication in 1941w router?
      Perhaps can show me some example of configure mac authentication in 1941w router. 

  Hi,
  Below is the configuration for mac authentication bypass on cisco 1900 router
  c1921> enable
  c1921# configure terminal
  c1921(conf)#interface gigabitethernet slot / port
  c1921(conf-if)# authentication port-control auto
  c1921(conf-if)# mab
  c1921(conf-if)# end
  > You can verify using the below command
  c1921#show authentication sessions 
  Interface MAC Address Method Domain Status Session ID
  Gi0/1 0201.0201.0201 mab DATA Authz Success 0303030300000004002500A8
  c1921#show authentication sessions interface Gi0/1
   Interface: GigabitEthernet0/1
   MAC Address: 0201.0201.0201
   IP Address: Unknown
   User-Name: 02-01-02-01-02-01
   Status: Authz Success
  Domain: DATA
   Oper host mode: single-host
   Oper control dir: both
   Authorized By: Authentication Server
   Vlan Group: N/A
   AAA Policies: 
   Session timeout: N/A
   Idle timeout: N/A
   Common Session ID: 0303030300000004002500A8
   Acct Session ID: 0x00000007
   Handle: 0x3D000005
  Runnable methods list:
   Method State
   mab Authc Success
  For more details refer the below link:
  http://www.cisco.com/c/en/us/td/docs/routers/access/1900/software/configuration/guide/Software_Configuration/conf.pdf
  Thanks & Regards
  Sandeep

• Macs joined to AD Domain, and 802.1x/mab authentication problems

  Hello, I've got a situation where i have a small handful of Mac Pro's running OS 10.6 that are having some trouble with wired 802.1x/MAB (Mac Autehntication Bypass) on our cisco switches. We have our macs setup so that they autenticate to our windows domain for user login, plus, we have 802.1x authenciation (for our windows clients) and MAB bypass for our macs, printers, and assorted other equipment. Problem seems to be, the Mac boots up before the switch goes into MAB bypass and wont let the user login to the network. Has anyone ran across this problem before and found a solution?

  hello,
  in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.
  the interfaces have the following config:
   authentication host-mode multi-auth
   authentication order mab dot1x
   authentication priority mab dot1x
   authentication port-control auto
   authentication periodic
   authentication timer restart 120
   authentication timer reauthenticate server
   authentication timer inactivity 600
   mab
   dot1x pae authenticator
  Good luck

• Sg300 - 802.1x NPS - mac authentication not working

  I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
  Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
  My current port configuration on the SG300:
  interface fastethernet1
   dot1x guest-vlan enable
   dot1x max-req 1
   dot1x reauthentication
   dot1x timeout quiet-period 10
   dot1x authentication 802.1x mac
   dot1x radius-attributes vlan static
   dot1x port-control auto
   switchport mode access
  On the Windows NPS server there is following error to see:
  Authentication Details:
      Connection Request Policy Name:    Secure Wire
      Network Policy Name:        -
      Authentication Provider:        Windows
      Authentication Server:        myradius.local
      Authentication Type:        -
      EAP Type:            -
      Account Session Identifier:        30353030399999
      Reason Code:            1
      Reason:                An internal error occurred. Check the system event log for additional information.
  There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...

  Still not working.
  I tried different settings and (also older) software versions on the SF302-08P.
  Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
  The NPS reports following error:
  Schannel:
  The following fatal alert was received: 40.
  EventID 36887
  If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
  ... is this a bug on the SF302-08P?

• Urgent 802.1x and MAC-Authentication Problem

  Hi all
  I want to deploy the mac- authentication in my network. and I have 3000 users. In the lab the authenticatoion for the machine takes:
  Vista : 15 - 20 seconds
  XP : 30 - 35 seconds
  Is there any way to reduce this time less than 10 seconds. My users count are 3000 will the time go bigger because of this.
  Please help me.
  Thanks and Best Regards
  amady

  With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
  Specific info is here:
  <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
  Hope this helps,

• Mac-auth-bypass fails MAC: 0000.0000.0000

  I have an old JetDirect that doesn't support 802.1x. I have enabled MAB on the port where it connects, but for some reason MAB fails. I enabled dot1x debug and will paste the output in a few here. I know my dot1x config is good.. i have clients authenticating via RADIUS to my ACS server. I also have another port using MAB, not a JetDirect though, both ports are configured identically. From the debugs, it seems that the switch can't glean the mac of the JetDirect. Any ideas? This is a 3750 with 12.2(44)SE2. I've tried to shut/no shut the interface, reset the JetDirect, nothing seems to work. I see no requests on my ACS server for this device's MAC address.
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  radius-server host 192.168.x.x auth-port 1645 acct-port 1646
  interface FastEthernet2/0/31
  description A002 White
  switchport access vlan 112
  switchport mode access
  switchport voice vlan 800
  switchport port-security maximum 3
  switchport port-security
  switchport port-security aging time 2
  switchport port-security violation restrict
  switchport port-security aging type inactivity
  srr-queue bandwidth share 10 10 60 20
  srr-queue bandwidth shape  10  0  0  0
  mls qos trust device cisco-phone
  mls qos trust cos
  auto qos voip cisco-phone
  dot1x mac-auth-bypass eap
  dot1x pae authenticator
  dot1x port-control auto
  dot1x host-mode multi-domain
  dot1x violation-mode restrict
  dot1x timeout tx-period 2
  dot1x timeout supp-timeout 10
  spanning-tree portfast
  spanning-tree bpduguard enable
  012729: May  5 14:51:31.672: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
  012730: May  5 14:51:32.586: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/31, changed state to up
  012731: May  5 14:51:33.727: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
  012732: May  5 14:51:33.727: dot1x-sm:Posting EAP_REQ on Client=4219220
  012733: May  5 14:51:33.727:     dot1x_auth_bend Fa2/0/31: during state auth_bend_request, got event 7(eapReq)
  012734: May  5 14:51:33.727: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_request ->auth_bend_request
  012735: May  5 14:51:33.727: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ request_action called
  012736: May  5 14:51:33.727: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ enter called
  012737: May  5 14:51:33.727: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1  data:
  012738: May  5 14:51:33.727: dot1x-ev:FastEthernet2/0/31:Sending EAPOL packet to group PAE address
  012739: May  5 14:51:33.727: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet2/0/31.
  012740: May  5 14:51:33.727: dot1x-registry:registry:dot1x_ether_macaddr called
  012741: May  5 14:51:33.727: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet2/0/31
  012742: May  5 14:51:33.727: EAPOL pak dump Tx
  012743: May  5 14:51:33.727: EAPOL Version: 0x2  type: 0x0  length: 0x0005
  012744: May  5 14:51:33.727: EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1
  012745: May  5 14:51:33.727: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
  012746: May  5 14:51:35.791: dot1x-ev:Received an EAP Timeout on FastEthernet2/0/31 for mac 0000.0000.0000
  012747: May  5 14:51:35.791: dot1x-sm:Posting EAP_TIMEOUT on Client=4219220
  012748: May  5 14:51:35.791:     dot1x_auth_bend Fa2/0/31: during state auth_bend_request, got event 12(eapTimeout)
  012749: May  5 14:51:35.791: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_request ->auth_bend_timeout
  012750: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_timeout_enter called
  012751: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_timeout_action called
  012752: May  5 14:51:35.791:     dot1x_auth_bend Fa2/0/31: idle during state auth_bend_timeout
  012753: May  5 14:51:35.791: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_timeout ->auth_bend_idle
  012754: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_idle_enter called
  012755: May  5 14:51:35.791: dot1x-sm:Posting AUTH_TIMEOUT on Client=4219220
  012756: May  5 14:51:35.791:     dot1x_auth Fa2/0/31: during state auth_authenticating, got event 15(authTimeout)
  012757: May  5 14:51:35.791: @@@ dot1x_auth Fa2/0/31: auth_authenticating -> auth_fallback
  012758: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_authenticating_exit called
  012759: May  5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_fallback_ente r called
  012760: May  5 14:51:35.791:     dot1x_auth_mab : initial state mab_initialize has enter
  012761: May  5 14:51:35.791:     dot1x_auth_mab : during state mab_initialize, got event 2(mabStart)
  012762: May  5 14:51:35.791: @@@ dot1x_auth_mab : mab_initialize -> mab_acquiring
  012763: May  5 14:53:08.831:     dot1x_auth_mab : during state mab_acquiring, got event 3(mabResult) (ignored)
  HQ_1stFlr_3750#sh dot1x int fa2/0/31 det
  Dot1x Info for FastEthernet2/0/31
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = MULTI_DOMAIN
  Violation Mode            = RESTRICT
  ReAuthentication          = Disabled
  QuietPeriod               = 60
  ServerTimeout             = 30
  SuppTimeout               = 10
  ReAuthPeriod              = 3600 (Locally configured)
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 2
  RateLimitPeriod           = 0
  Mac-Auth-Bypass           = Enabled (EAP)
      Inactivity Timeout    = None
  Dot1x Authenticator Client List Empty
  Port Status               = UNAUTHORIZED

  Is this jetdirect card using DHCP to get an IP address ? If not then the Jetdirect will not generate any outbound traffic for the switch to auhenticate. To test this use the front panel of the printer to send out a ping packet and see if that triggers the MAB.