Configure Mac Authentication Bypass (MAB) in ACS 5.1

Hello,
I am a newbie in ACS 5.1 and UAC.
I configured a MAB Access Service, but I get the error in the Radius Monitorring: 15024: PAP is not allowed.
However, I nowhere configured PAP. Any idea what I do wrong ?
I did not configure any protocolls, just 'Process Host Lookup'
Thanks a lot
Karien

Hi,
You can authenticate hosts with ACS internal DB or AD, however please note that if you want to do MAB in AD you need to configure users with the mac address of the machine in the same way you create the users on ACS.
On the other hand if the goal is to authenticate the hosts with the hostname itself, it is diferent from MAB, and you can use the AD DB if the PCs are registered to the domain, whithout any further configuration on the AD side.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Similar Messages

Enabling 802.1x and MAC Authentication Bypass on ACS 4.2

Hi experts,
I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
ii. If it is possible, any reference that I can check on how to configure this?
The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
Hope anyone here could help me on this.
Thanks very much,
Daniel

With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps,

802.1x: MAC Authentication Bypass

Hey sorry for keeping bugging you guys...
So I am configuring this Bypass thing on my 3750 switch. It works fine. It seems the switch will send a access request to the radius server (I use FreeRadius) with the username/password both as the MAC address of the deivce.
However my dilema is that I have 200+ these devices. I can easily create a user group with MAC starting with 00a008 (which are the first 3 octets of the MAC addresses), however it's impossible to include each of the MAC address as the password!
So my question is that whether there is a way to configure the switch use a static string as the password for all the devices using MAC Authentication Bypass?
Thank you!!
Difan

Difan:
I went through your post and understand that you are in a process of configuring 802.1x with MAB in such way so that you use custom password (except Mac address) for all users OR shared password string that should be sent by the switch but this is not possible.
Reason: Switch only send the device Mac address as the username and password. The user name should be the mac address of the client and the password should be same as username and this can't be change on cisco switches.
I have also attached a document regarding MAB for your better understanding.
This forum is only for you guys...keep bugging us
HTH
JK
Pls rate helpful posts-

Cisco 1941W configure mac authentication in wireless

Dear all,
Appreciate that anyone know how to configure mac authentication in 1941w router?
Perhaps can show me some example of configure mac authentication in 1941w router.

Hi,
Below is the configuration for mac authentication bypass on cisco 1900 router
c1921> enable
c1921# configure terminal
c1921(conf)#interface gigabitethernet slot / port
c1921(conf-if)# authentication port-control auto
c1921(conf-if)# mab
c1921(conf-if)# end
> You can verify using the below command
c1921#show authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi0/1 0201.0201.0201 mab DATA Authz Success 0303030300000004002500A8
c1921#show authentication sessions interface Gi0/1
Interface: GigabitEthernet0/1
MAC Address: 0201.0201.0201
IP Address: Unknown
User-Name: 02-01-02-01-02-01
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
AAA Policies:
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0303030300000004002500A8
Acct Session ID: 0x00000007
Handle: 0x3D000005
Runnable methods list:
Method State
mab Authc Success
For more details refer the below link:
http://www.cisco.com/c/en/us/td/docs/routers/access/1900/software/configuration/guide/Software_Configuration/conf.pdf
Thanks & Regards
Sandeep

Machine MAC authentication by ACS

Hi,
I have 1 AP 1240 & ACS 4.1 Solution Engine.
I want to authenticate internal users by their MAC addresses (that is created into ACS database) after selecting appropriate SSID from the AP.
Let me give you an idea of the setup & config:
I have a DHCP server in the network from where users will get IP addresses.
I have created 2 VLAN's in the switch & made the port as "Trunk" that is connected with AP. VLAN 1 as native VLAN (AP & ACS is asigned ip addresses of native vlan range) & VLAN 2 for Internal Users.
Radio interfaces are mapped to the VLAN id & SSID is mapped with VLAn as well in AP.
MAC addresses are confiured into ACS (without any space, comma, special character..the mac addreses are put manually in the ACS to avoid the generation of any phantom character).
The problem is "USers are not getting IP addreses from the dhcp pool created in the switch" after selecting the SSID.
Please ry to help me out in this...

You can try to disable aironet extensions & enable the SSID as guest mode SSID. Also, try to change the datarates to enable. Else, configure MAC authentication and disable SSID as guest mode SSID.

2960 - mac-auth-bypass

Hello,
we want to use standalone mac authentication bypass (with freeradius).
Yesterday we tested it with a catalyst 3750 IOS 12.2(35) and it was working fine! The config on an interface looked like that:
(config-if)switchport mode access
(config-if)authentication port-control auto
(config-if)mab
(config-if)spanning-tree portfast
Today we tried to do the same with a catalyst 2960 IOS 12.2(44). I want to configure the interface like on the 3750, but I can't.
Everytime I write the command "dot1x mac-auth-bypass" (I think this is the correspondent command to "mab") the switch automatically configures "dot1x pae authenticator" and "dot1x violation-mode protect" on the interface. So it looks like that:
interface GigabitEthernet0/1
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode restrict
spanning-tree portfast
If I configure "no dot1x violation-mode protect" the switch accepts the command, but it don't removes the entry from the interface.
If I configure "no dot1x pae authenticator" the switch removes the whole config from the interface except "switchport mode access" and "spanning-tree...".
I don't understand what the problem is?! Is it not possible to use mac authentication bypass without dot1x (-> pae command) and violation-mode in this IOS version???
The violation-mode avoids the contact to the radius server. :-(
Thank you for your help.
Greetings Lydia

Hey,
1. Does somebody know if you can use standalone MAB with dot1x guest vlan?
I tried it and the guest vlan was not set. Is it required to configure dot1x with the shortest timeout, so that MAB is starting fast and if it fails, there is the guest vlan.
2. In the config guide there is a sample configuration for standalone MAB. I'm wondering why they configure "switchport access vlan 40"??? In what situation does this takes affect? Is it like the guest vlan? So, if mab fails, the port is configured with vlan 40???
interface FastEthernet2/48
switchport access vlan 40
switchport mode access
authentication port-control auto
mab
spanning-tree portfast
spanning-tree bpduguard enable
Greetings Lydia

MAC authentication failed for Wired Users

Hi,
I tried to configure MAC authentication for registed users by ACS. But failed. Need help.

ok ok..i got ur point....please correct me the config steps:
1. Added switch as aaa client into acs
2. entered machine mac address into acs user-setup as both usename & password.
3. in 64,65 & 81 (in bother group & user setup) choosed 64=vlan; 65=802; 81=authenticated_vlan_id
4. in switch
aaa new-model
aaa authentication dot1x default group radius
radius-server host acs_ip auth-port 1645 acct-port 1646 key ****
dot1x system-auth-control
int fa0/1
switchport mode access
dot1x mac-auth-bypass
dot1x port-control auto
dot1x reauthentication
dot1x pae authenticator
dot1x guest-vlan 900
Note: Whenever i issue the command "port-control auto" the line protocol of the port goes down.
5. in end machine disable ieee 802.1x authentication.
I will try this setting tomorrow & update you accordingly.

MAC Authentication Bybass

When using MAC authentication Bypass and a switch is reset because of an upgrade, there is a period of 1 to 2 minutes when the MAB fails after the switch is already back up. Logging in to the switch also fails during this time.Is there a way to get rid of this delay? I need AAA to work right away because this causes users downtime.
Thanks in Advance,
Alex Pfeil

I figured out what was wrong so thank you for stopping by.
I will publish the config for other people to see.
Regards,

MAC Authentication on autonomous APs

Hi!
Has anyone here tried MAC authentication using Aironet 1200 series? If so, can you please tell me how to do it? Because I've been trying to make it work and it just won't work. Thanks!
Regards

Hi,
Are you talking about radius mac-authentication ?
The steps to configure MAC authentication on the ACS server and AP :
[1] GO to Server Manager
In the Corporate Servers -->Current Server List
-- Select the Radius Server in the drop down.
-- Specify the Server IP address in the Server: field
-- Specify the Shared Secret in the Shared Secret: field
-- Set the Authentication Port (optional): 1645 and the Accounting Port (optional): 1646
- click on Apply
-- In the Default Server Priorities aand under MAC Authentication
-- In the drop down Priority 1: select the IP address of the ACS server and click on Apply
[2] Goto SSid MAnager
-- Select the ssid, In case a new SSID needs to be created create a new ssid.
-- In Authentication Settings --> Methods Accepted: --> check on Open Authentication:
--> Select with Mac Authentication from the drop down menu.
- Click on the Apply all button to save this setting
[3] Goto Advanced Security
-- In the MAC Address Authentication -->MAC Addresses Authenticated by:
-- Select Authentication Server Only and click on Apply
On the ACS server Create Users with user names and password set to the MAC address of the
clients. These user names/passwords should NOT have any spaces or dots in between them..
Regards,
~JG

Configuring the Access Point 1602 IOS 15.2(2)JAX as a Local RADIUS for a MAC authenticator

Hello Everyone,
I have an issue with my Cisco 1602 WAP. I am trying to configure the WPA-PSK and MAC authentication on local RADIUS but I don't know why it doesn't work and client can bypass the MAC authentication. below is partial configuration:
dot11 ssid WLAN
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 XXX
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 20 mode ciphers aes-ccm
ssid WLAN
antenna gain 0
stbc
beamform ofdm
mbssid
channel 2462
station-role root
interface Dot11Radio0.20
encapsulation dot1Q 20 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface BVI1
ip address 10.133.16.2 255.255.255.128
no ip route-cache
adius-server local
nas 10.133.16.2 key 7 10.133.16.2
group MAC
vlan 20
ssid WLAN
block count 3 time infinite
reauthentication time 1800
user 54724f80421c password 54724f80421c group MAC
Further information can be provided by request.
Cheers,
Parham

what are you trying to accomplish?
With the PSK you aren't telling the client it needs to do .1x auth for the Mac authentication.
If you are just trying to keep some clients off the wireless, I would take a look at doing a MAC ACL (ACL 700)
HTH,
Steve

ACS Server MAC Authentication with Windows Database

Has anyone setup an ACS Server 3.2 for MAC authentication using Windows as the authentication. The documentation I found shows how to set it up using the CiscoSecure database. Any help would be appreciated.

Here is the link for setting up MAC authentication using CisoSecure database. There may not be a solution for my setup, but maybe I'll keep hacking away at it and find a resolution.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b3d27.shtml

Mac-auth-bypass fails MAC: 0000.0000.0000

I have an old JetDirect that doesn't support 802.1x. I have enabled MAB on the port where it connects, but for some reason MAB fails. I enabled dot1x debug and will paste the output in a few here. I know my dot1x config is good.. i have clients authenticating via RADIUS to my ACS server. I also have another port using MAB, not a JetDirect though, both ports are configured identically. From the debugs, it seems that the switch can't glean the mac of the JetDirect. Any ideas? This is a 3750 with 12.2(44)SE2. I've tried to shut/no shut the interface, reset the JetDirect, nothing seems to work. I see no requests on my ACS server for this device's MAC address.
aaa authentication dot1x default group radius
aaa authorization network default group radius
radius-server host 192.168.x.x auth-port 1645 acct-port 1646
interface FastEthernet2/0/31
description A002 White
switchport access vlan 112
switchport mode access
switchport voice vlan 800
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x mac-auth-bypass eap
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-domain
dot1x violation-mode restrict
dot1x timeout tx-period 2
dot1x timeout supp-timeout 10
spanning-tree portfast
spanning-tree bpduguard enable
012729: May 5 14:51:31.672: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
012730: May 5 14:51:32.586: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0/31, changed state to up
012731: May 5 14:51:33.727: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
012732: May 5 14:51:33.727: dot1x-sm:Posting EAP_REQ on Client=4219220
012733: May 5 14:51:33.727:     dot1x_auth_bend Fa2/0/31: during state auth_bend_request, got event 7(eapReq)
012734: May 5 14:51:33.727: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_request ->auth_bend_request
012735: May 5 14:51:33.727: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ request_action called
012736: May 5 14:51:33.727: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_ enter called
012737: May 5 14:51:33.727: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
012738: May 5 14:51:33.727: dot1x-ev:FastEthernet2/0/31:Sending EAPOL packet to group PAE address
012739: May 5 14:51:33.727: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet2/0/31.
012740: May 5 14:51:33.727: dot1x-registry:registry:dot1x_ether_macaddr called
012741: May 5 14:51:33.727: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet2/0/31
012742: May 5 14:51:33.727: EAPOL pak dump Tx
012743: May 5 14:51:33.727: EAPOL Version: 0x2 type: 0x0 length: 0x0005
012744: May 5 14:51:33.727: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
012745: May 5 14:51:33.727: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
012746: May 5 14:51:35.791: dot1x-ev:Received an EAP Timeout on FastEthernet2/0/31 for mac 0000.0000.0000
012747: May 5 14:51:35.791: dot1x-sm:Posting EAP_TIMEOUT on Client=4219220
012748: May 5 14:51:35.791:     dot1x_auth_bend Fa2/0/31: during state auth_bend_request, got event 12(eapTimeout)
012749: May 5 14:51:35.791: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_request ->auth_bend_timeout
012750: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_timeout_enter called
012751: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_request_timeout_action called
012752: May 5 14:51:35.791:     dot1x_auth_bend Fa2/0/31: idle during state auth_bend_timeout
012753: May 5 14:51:35.791: @@@ dot1x_auth_bend Fa2/0/31: auth_bend_timeout ->auth_bend_idle
012754: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_bend_idle_enter called
012755: May 5 14:51:35.791: dot1x-sm:Posting AUTH_TIMEOUT on Client=4219220
012756: May 5 14:51:35.791:     dot1x_auth Fa2/0/31: during state auth_authenticating, got event 15(authTimeout)
012757: May 5 14:51:35.791: @@@ dot1x_auth Fa2/0/31: auth_authenticating -> auth_fallback
012758: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_authenticating_exit called
012759: May 5 14:51:35.791: dot1x-sm:Fa2/0/31:0000.0000.0000:auth_fallback_ente r called
012760: May 5 14:51:35.791:     dot1x_auth_mab : initial state mab_initialize has enter
012761: May 5 14:51:35.791:     dot1x_auth_mab : during state mab_initialize, got event 2(mabStart)
012762: May 5 14:51:35.791: @@@ dot1x_auth_mab : mab_initialize -> mab_acquiring
012763: May 5 14:53:08.831:     dot1x_auth_mab : during state mab_acquiring, got event 3(mabResult) (ignored)
HQ_1stFlr_3750#sh dot1x int fa2/0/31 det
Dot1x Info for FastEthernet2/0/31
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = MULTI_DOMAIN
Violation Mode            = RESTRICT
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 10
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 2
RateLimitPeriod           = 0
Mac-Auth-Bypass           = Enabled (EAP)
    Inactivity Timeout    = None
Dot1x Authenticator Client List Empty
Port Status               = UNAUTHORIZED

Is this jetdirect card using DHCP to get an IP address ? If not then the Jetdirect will not generate any outbound traffic for the switch to auhenticate. To test this use the front panel of the printer to send out a ping packet and see if that triggers the MAB.

WPA2 and mac authentication

I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?

Hi Jared,
you can do this by setup the following:
Webinterface:
1. Securtiy -> Server Manager
Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
2. Securtiy -> Advanced Securtiy
In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
IOS Interface from config mode:
aaa group server radius rad_mac
server 10.20.40.37 auth-port 1645 acct-port 1646
and
aaa authentication login mac_methods group rad_mac
or
aaa authentication login mac_methods group rad_mac local (for local fallback)
I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
Better use a setup with EAP-FAST or PEAP!
I hope that helps.
Best regards,
Frank
I hope that helps.

OS Lion of Apple don't authentication in the Secure ACS

Hello my friends!!!!
I'm with one problem, my OS Lion don't authentication in the Secure ACS Version: 5.2.0.26.10.
For the Mac Lion operating system to work you must put in execeção the MAC Address of your computer. I wonder how it could cause the OS to authenticate the ACS Lion.
Thank you!

Hi,
Are you using wpa2 authentication, also are you using MAR (machine access restrictions) in your global dot1x configuration? If that is the case, then you will not be able to authenticate. Please describe a little bit more about your issue.
thanks,
Tarik Admani
*Please rate helpful posts*

PEAP with MAC authentication

I am getting ready to deploy some access points and I am using MS PEAP with ACS and Active Directory. I was thinking about using MAC authentication as well but I noticed something. In order to get MAC authentication to work you have to put the MAC address in ACS as a user using the mac address as both the username and password. When I connect to my access point it prompts me to enter a username and password, you normally would enter your Active Directory account here but I noticed that if you just enter your MAC Address as the username and password you can get onto the network. Isnt this a security hole? An attacker could basically "sniff" the air for MAC addressess since these are not encrypted. He could then easily spoof his mac address and also use the MAC address as the username and password to gain access. Is there a way to avoid this?

Hi,
You could consider using Network Access Restrictions which is a form of MAC filtering and will prevent you from having to add the MAC addresses of users to your ACS database.
This basically binds a clients MAC address to an access point, so if a user tries to log in from a different MAC address using their normal account it will be denied by ACS so you are effectively binding users to MAC addresses from allowed Access Points.
The MAC address could probably still be sniffed however this would not be enough to allow a login to the network.
It's configured on a per user basis
If you edit a user, scroll down to the
"Define CLI/DNIS-based access restrictions" and tick the box
Select the AP to which you will permit the client MAC from in the "AAA Client" drop down
enter "*" for the port
and enter the MAC address in the Address field
I can't quite remeber the format of the mac address but i think it need to be in HHHH.HHHHH.HHHH
There's a white paper on it here:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
HTH
Paddy

Configure Mac Authentication Bypass (MAB) in ACS 5.1

Similar Messages

Maybe you are looking for