802.1x: MAC Authentication Bypass
Hey sorry for keeping bugging you guys...
So I am configuring this Bypass thing on my 3750 switch. It works fine. It seems the switch will send a access request to the radius server (I use FreeRadius) with the username/password both as the MAC address of the deivce.
However my dilema is that I have 200+ these devices. I can easily create a user group with MAC starting with 00a008 (which are the first 3 octets of the MAC addresses), however it's impossible to include each of the MAC address as the password!
So my question is that whether there is a way to configure the switch use a static string as the password for all the devices using MAC Authentication Bypass?
Thank you!!
Difan
Difan:
I went through your post and understand that you are in a process of configuring 802.1x with MAB in such way so that you use custom password (except Mac address) for all users OR shared password string that should be sent by the switch but this is not possible.
Reason: Switch only send the device Mac address as the username and password. The user name should be the mac address of the client and the password should be same as username and this can't be change on cisco switches.
I have also attached a document regarding MAB for your better understanding.
This forum is only for you guys...keep bugging us
HTH
JK
Pls rate helpful posts-
Similar Messages
-
Enabling 802.1x and MAC Authentication Bypass on ACS 4.2
Hi experts,
I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
ii. If it is possible, any reference that I can check on how to configure this?
The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
Hope anyone here could help me on this.
Thanks very much,
DanielWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
802.1X Inaccessible Authentication Bypass
On a 4506-E switch with supervisor engine 6L-E running IOS version 12.2(54)SG1, the command to enable Inaccessible Authentication Bypass is not available. The interface configuration mode command is supposed to be "dot1x critical".
Has it changed to something else in this version of IOS?
The data sheet for the Cisco Catalyst 4500 Supervisor Engine 6L-E shows this feature is supported (see link below).
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/data_sheet_c78-530856.htmlHello Prashant
Can you post the port configurations here ? have you configured the critical port, radius parameters etc, and does the switch recognize that the radius server is down ?
I think this is more to do with the design of the entire dot1x authentication.. I have tried this in labs and have had tough times, generating these scenarios.. we would hardly able to justify this feature on the network. I think it is highly advisible to have dual radius servers (or even more than 2), and configure the switches with standby radius servers.. I really wouldnt want my network enabled with 802.1x and having issues contacting the radius server.. even though we have options and solutions to overcome it, i wouldnt want too many complications on the 802.1x front..
Hope this helps.. all the best.. rate replies if found useful..
Raj -
Windows 2012 r2 802.1X MAC Address bypass configuration
I am setting up MAB for my environment and I want to make sure I am setting it up correctly, as I see some articles stating there is a reg edit needed and others that don't mention it at all.
I have Dell PowerConnect switch with 802.1X authentication working for my Domain Computers.
I now want to allow non-802.1x capable devices to be assigned the correct vlans (Printers, IP Phones, etc).
I have created a user account in AD for the device, using lowercase MAC Address for the username and password.
I have set the switchport to allow MAB
I have created a NPS Network Policy for one of the devices and assigned the groups it belongs to and set Authentication Method to: Unencrypted (PAP,SPAP).
I keep receiving this error in the logs "The user attempted to use an authentication method that is not enabled on the matching network policy"
Does anyone have advice or can direct me to a nice guide/checklist of all the areas that need to be set to allow this to happen?You've posted in the Print/Fax forum, but I can see you've also posted in the NAP forum. You'll likely get a better response over there, so maybe you should delete this question in here..
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
802.1x MAC authentication
Hi,
I've been searching for the right solution for my problem on an on for the last week on this forum and other sites. I didn't get a clear answer so here I am posting it:
Is it possible to do MAC-based authentication and VLAN assignement with 802.1x against a RADIUS server? _I know_ you will give me the VMPS solution wich I have already taken into consideration, but I will rather do it with 802.1x if it is possible for a number of reasons.
I'm not looking to do port filtering (to allow only one MAC address defined in the switch). The switch should interogate the RADIUS server if the MAC has access and what VLAN should be placed on; all that by means of 802.1x. Can it be done?
Thanx.
Gabi.Yes, the switch will merely pass the 802.1x from the client to the Radius, the bulk of the configuration is done on the server. At the switch it's called "Using 802.1X with VLAN Assignment". Here is a link on a cat4000 on how to configure 802.1X with VLAN assignment:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_25a/conf/dot1x.htm#wp1142124
But you can find configuration guid on other platforms through UniverCD:
http://www.cisco.com/univercd/home/home.htm
And here is a link on Using a RADIUS Server to Assign Users to VLANs:
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1200/accsspts/b1237ja/i1237sc/s37vlan.htm#wp1038739 -
Configure Mac Authentication Bypass (MAB) in ACS 5.1
Hello,
I am a newbie in ACS 5.1 and UAC.
I configured a MAB Access Service, but I get the error in the Radius Monitorring: 15024: PAP is not allowed.
However, I nowhere configured PAP. Any idea what I do wrong ?
I did not configure any protocolls, just 'Process Host Lookup'
Thanks a lot
KarienHi,
You can authenticate hosts with ACS internal DB or AD, however please note that if you want to do MAB in AD you need to configure users with the mac address of the machine in the same way you create the users on ACS.
On the other hand if the goal is to authenticate the hosts with the hostname itself, it is diferent from MAB, and you can use the AD DB if the PCs are registered to the domain, whithout any further configuration on the AD side.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
802.1x Machine Authentication without AD
Hello,
I'm new to 802.1x security, and i'm wondering if it's possible to do windows machine authentication without an active directory?
Thanks,
Dan.Hi,
Windows Machine authentication requires machine credentials, and these credentials can only exist on the AD.
What you can do is authenticate the machine using its MAC address (Mac authentication bypass), and for this you only need to configure mab on the switch, make sure the client do not speak dot1x and create the user with username/password = mac address on the RADIUS server.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
When using MAC authentication Bypass and a switch is reset because of an upgrade, there is a period of 1 to 2 minutes when the MAB fails after the switch is already back up. Logging in to the switch also fails during this time.Is there a way to get rid of this delay? I need AAA to work right away because this causes users downtime.
Thanks in Advance,
Alex PfeilI figured out what was wrong so thank you for stopping by.
I will publish the config for other people to see.
Regards, -
Hi all,
Is there any resources that I could refer on if I want to do 802.1x & MAC
authentication for a particular user via Cisco Secure ACS 4.2? Our
management would like to have double authentication on the LAN whenever our
staff wants to connect to network, they will need to authenticate first via
802.1x and follows by MAC authentication after that. If 802.1x is ok but the
MAC authentication is failed then, the staff will not even able to connect
and they need to inform network administrator for help.
Hopefully any one of you able to give me advices and guide.
Thanks very much,
Regards,Have you considered machine authentication, with machine access restrictions? If all your end clients are windows based you can leverage a group policy to force machine authentication. On your ACS setting you can enable machine access restrictions and force any client that authenticates with peap or eap-tls to fall under this condition.
Thanks,
Sent from Cisco Technical Support iPad App -
Hello,
we want to use standalone mac authentication bypass (with freeradius).
Yesterday we tested it with a catalyst 3750 IOS 12.2(35) and it was working fine! The config on an interface looked like that:
(config-if)switchport mode access
(config-if)authentication port-control auto
(config-if)mab
(config-if)spanning-tree portfast
Today we tried to do the same with a catalyst 2960 IOS 12.2(44). I want to configure the interface like on the 3750, but I can't.
Everytime I write the command "dot1x mac-auth-bypass" (I think this is the correspondent command to "mab") the switch automatically configures "dot1x pae authenticator" and "dot1x violation-mode protect" on the interface. So it looks like that:
interface GigabitEthernet0/1
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode restrict
spanning-tree portfast
If I configure "no dot1x violation-mode protect" the switch accepts the command, but it don't removes the entry from the interface.
If I configure "no dot1x pae authenticator" the switch removes the whole config from the interface except "switchport mode access" and "spanning-tree...".
I don't understand what the problem is?! Is it not possible to use mac authentication bypass without dot1x (-> pae command) and violation-mode in this IOS version???
The violation-mode avoids the contact to the radius server. :-(
Thank you for your help.
Greetings LydiaHey,
1. Does somebody know if you can use standalone MAB with dot1x guest vlan?
I tried it and the guest vlan was not set. Is it required to configure dot1x with the shortest timeout, so that MAB is starting fast and if it fails, there is the guest vlan.
2. In the config guide there is a sample configuration for standalone MAB. I'm wondering why they configure "switchport access vlan 40"??? In what situation does this takes affect? Is it like the guest vlan? So, if mab fails, the port is configured with vlan 40???
interface FastEthernet2/48
switchport access vlan 40
switchport mode access
authentication port-control auto
mab
spanning-tree portfast
spanning-tree bpduguard enable
Greetings Lydia -
Cisco 1941W configure mac authentication in wireless
Dear all,
Appreciate that anyone know how to configure mac authentication in 1941w router?
Perhaps can show me some example of configure mac authentication in 1941w router.Hi,
Below is the configuration for mac authentication bypass on cisco 1900 router
c1921> enable
c1921# configure terminal
c1921(conf)#interface gigabitethernet slot / port
c1921(conf-if)# authentication port-control auto
c1921(conf-if)# mab
c1921(conf-if)# end
> You can verify using the below command
c1921#show authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi0/1 0201.0201.0201 mab DATA Authz Success 0303030300000004002500A8
c1921#show authentication sessions interface Gi0/1
Interface: GigabitEthernet0/1
MAC Address: 0201.0201.0201
IP Address: Unknown
User-Name: 02-01-02-01-02-01
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
AAA Policies:
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0303030300000004002500A8
Acct Session ID: 0x00000007
Handle: 0x3D000005
Runnable methods list:
Method State
mab Authc Success
For more details refer the below link:
http://www.cisco.com/c/en/us/td/docs/routers/access/1900/software/configuration/guide/Software_Configuration/conf.pdf
Thanks & Regards
Sandeep -
Macs joined to AD Domain, and 802.1x/mab authentication problems
Hello, I've got a situation where i have a small handful of Mac Pro's running OS 10.6 that are having some trouble with wired 802.1x/MAB (Mac Autehntication Bypass) on our cisco switches. We have our macs setup so that they autenticate to our windows domain for user login, plus, we have 802.1x authenciation (for our windows clients) and MAB bypass for our macs, printers, and assorted other equipment. Problem seems to be, the Mac boots up before the switch goes into MAB bypass and wont let the user login to the network. Has anyone ran across this problem before and found a solution?
hello,
in my organization we have multiple 3560/2960 series switches and some 4500 with MAB.
the interfaces have the following config:
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer restart 120
authentication timer reauthenticate server
authentication timer inactivity 600
mab
dot1x pae authenticator
Good luck -
Sg300 - 802.1x NPS - mac authentication not working
I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
My current port configuration on the SG300:
interface fastethernet1
dot1x guest-vlan enable
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x authentication 802.1x mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode access
On the Windows NPS server there is following error to see:
Authentication Details:
Connection Request Policy Name: Secure Wire
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: myradius.local
Authentication Type: -
EAP Type: -
Account Session Identifier: 30353030399999
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...Still not working.
I tried different settings and (also older) software versions on the SF302-08P.
Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
The NPS reports following error:
Schannel:
The following fatal alert was received: 40.
EventID 36887
If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
... is this a bug on the SF302-08P? -
Urgent 802.1x and MAC-Authentication Problem
Hi all
I want to deploy the mac- authentication in my network. and I have 3000 users. In the lab the authenticatoion for the machine takes:
Vista : 15 - 20 seconds
XP : 30 - 35 seconds
Is there any way to reduce this time less than 10 seconds. My users count are 3000 will the time go bigger because of this.
Please help me.
Thanks and Best Regards
amadyWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
Mac-auth-bypass fails MAC: 0000.0000.0000
I have an old JetDirect that doesn't support 802.1x. I have enabled MAB on the port where it connects, but for some reason MAB fails. I enabled dot1x debug and will paste the output in a few here. I know my dot1x config is good.. i have clients authenticating via RADIUS to my ACS server. I also have another port using MAB, not a JetDirect though, both ports are configured identically. From the debugs, it seems that the switch can't glean the mac of the JetDirect. Any ideas? This is a 3750 with 12.2(44)SE2. I've tried to shut/no shut the interface, reset the JetDirect, nothing seems to work. I see no requests on my ACS server for this device's MAC address.
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 192.168.x.x auth-port 1645 acct-port 1646
interface FastEthernet2/0/31
description A002 White
switchport access vlan 112
switchport mode access
switchport voice vlan 800
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x mac-auth-bypass eap
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x violation-mode restrict
dot1x timeout tx-period 2
dot1x timeout supp-timeout 10
spanning-tree portfast
spanning-tree bpduguard enable
012729: May 5 14:51:31.672: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
012730: May 5 14:51:32.586: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/31, changed state to up
012731: May 5 14:51:33.727: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
012732: May 5 14:51:33.727: dot1x-sm:Posting EAP_REQ on Client=4219220
012733: May 5 14:51:33.727: dot1x_auth_bend Fa2/0/31: during state auth_bend_request, got event 7(eapReq)
012734: May 5 14:51:33.727: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_request ->auth_bend_request
012735: May 5 14:51:33.727: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ request_action called
012736: May 5 14:51:33.727: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ enter called
012737: May 5 14:51:33.727: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
012738: May 5 14:51:33.727: dot1x-ev:FastEthernet2/0/31:Sending EAPOL packet to group PAE address
012739: May 5 14:51:33.727: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet2/0/31.
012740: May 5 14:51:33.727: dot1x-registry:registry:dot1x_ether_macaddr called
012741: May 5 14:51:33.727: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet2/0/31
012742: May 5 14:51:33.727: EAPOL pak dump Tx
012743: May 5 14:51:33.727: EAPOL Version: 0x2 type: 0x0 length: 0x0005
012744: May 5 14:51:33.727: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
012745: May 5 14:51:33.727: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
012746: May 5 14:51:35.791: dot1x-ev:Received an EAP Timeout on FastEthernet2/0/31 for mac 0000.0000.0000
012747: May 5 14:51:35.791: dot1x-sm:Posting EAP_TIMEOUT on Client=4219220
012748: May 5 14:51:35.791: dot1x_auth_bend Fa2/0/31: during state auth_bend_request, got event 12(eapTimeout)
012749: May 5 14:51:35.791: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_request ->auth_bend_timeout
012750: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_timeout_enter called
012751: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_timeout_action called
012752: May 5 14:51:35.791: dot1x_auth_bend Fa2/0/31: idle during state auth_bend_timeout
012753: May 5 14:51:35.791: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_timeout ->auth_bend_idle
012754: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_idle_enter called
012755: May 5 14:51:35.791: dot1x-sm:Posting AUTH_TIMEOUT on Client=4219220
012756: May 5 14:51:35.791: dot1x_auth Fa2/0/31: during state auth_authenticating, got event 15(authTimeout)
012757: May 5 14:51:35.791: @@@ dot1x_auth Fa2/0/31: auth_authenticating -> auth_fallback
012758: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_authenticating_exit called
012759: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_fallback_ente r called
012760: May 5 14:51:35.791: dot1x_auth_mab : initial state mab_initialize has enter
012761: May 5 14:51:35.791: dot1x_auth_mab : during state mab_initialize, got event 2(mabStart)
012762: May 5 14:51:35.791: @@@ dot1x_auth_mab : mab_initialize -> mab_acquiring
012763: May 5 14:53:08.831: dot1x_auth_mab : during state mab_acquiring, got event 3(mabResult) (ignored)
HQ_1stFlr_3750#sh dot1x int fa2/0/31 det
Dot1x Info for FastEthernet2/0/31
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = MULTI_DOMAIN
Violation Mode = RESTRICT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 10
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 2
RateLimitPeriod = 0
Mac-Auth-Bypass = Enabled (EAP)
Inactivity Timeout = None
Dot1x Authenticator Client List Empty
Port Status = UNAUTHORIZEDIs this jetdirect card using DHCP to get an IP address ? If not then the Jetdirect will not generate any outbound traffic for the switch to auhenticate. To test this use the front panel of the printer to send out a ping packet and see if that triggers the MAB.
Maybe you are looking for
-
Adobe creative cloud in desktop not opening because internet connection is absent
Adobe creative cloud in my desktop (I have a mac) is not opening because it says that the internet connection is absent even though I am connected to the wifi and internet is working. It was working few days ago bot now not anymore. I tried to turn o
-
Error: unable to copy to output directory, ReqMgmtActionsVO.xml not found
hi, While running a page using jdeveloper am getting error like Error: unable to copy to output directory, ReqMgmtActionsVO.xml not found. am very thankful to the response Thanks Surya
-
Itunes 7 install repeat message ?
The latest itunes 7 update installed wihtout error...so I thought! However, after trying to purchase music I recieved the "Please install latest itunes 7 update" message during purchase download. Tried reinstalling ver. 7 and recieved a message stati
-
Do i have to share /usr/sap/jtrans directory in a WAS System Landscape
Hi, do i have to share the /usr/sap/jtrans directory across a WebAS 6.40 systemlandscape, when using jdi? The JDI configuration on dev system works fine. Now i want to transport DC's to consolidation, but it does not work. I still added the consolida
-
Help me get my E8400 to 3.5GHz
I have just built my first PC and i'm very pleased with it. Mind you anything had to be better/faster than my 5 yr old P4 2GHz Compaq unit. Spec is: P35 Platinum, E8400 CPU, Coolermaster 520W Modular power supply, Seagate 500GB SATA drive, Pioneer D