As data networks become increasingly indispensable in day-to-day business operations, the possibility that unauthorized people or devices will gain access to controlled or confidential information also increases. When deploying MAB as part of a larger access-control solution, Cisco recommends a phased deployment model that gradually deploys identity-based access control to the network. To help ensure the integrity of the authenticated session, sessions must be cleared when the authenticated endpoint disconnects from the network. Cisco Catalyst switches allow you to address multiple use cases by modifying the default behavior. When the inactivity timer is enabled, the switch monitors the activity from authenticated endpoints. This section describes the timers on the switch that are relevant to the MAB authentication process in an IEEE 802.1X-enabled environment. MAB is compatible with Web Authentication (WebAuth). The various host modes and their applications are discussed in this section. Be aware that MAB endpoints cannot recognize when a VLAN changes. Control direction works the same with MAB as it does with IEEE 802.1X. With some RADIUS servers, you simply enter the MAC addresses in the local user database, setting both the username and password to the MAC address.
The session timer uses the same RADIUS Session-Timeout attribute (Attribute 27) as the server-based reauthentication timer described earlier with the RADIUS Termination-Action attribute (Attribute 29) set to Default. MAB offers the following benefits on wired networks: When the RADIUS server is unavailable, MAB fails and, by default, all endpoints are denied access. No further authentication methods will be tried if MAB succeeds. This is the default behavior. *Mar 8 14:52:40.512: %MAB-5-FAIL: Authentication failed for client (Unknown MAC) on Interface Et0/1 AuditSessionID AC10630100000002000ADDB6 *Mar 8 14:52:40.512: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (Unknown MAC) on Interface Et0/1 AuditSessionID AC10630100000002000ADDB6. DHCP snooping is fully compatible with MAB and should be enabled as a best practice. If no response is received after the maximum number of retries, the switch will let IEEE 802.1X time out and proceed to MAB. This feature does not work for MAB. Before choosing to store MAC addresses on the RADIUS server, you should address several concerns. MAB enables port-based access control using the MAC address of the endpoint. No automated method can tell you which endpoints are valid corporate-owned assets. Simple Network Management Protocol (SNMP) MAC address notification traps, syslogs, and network management tools such as CiscoWorks LAN Management Solution (LMS) may also contain MAC address information. If a different MAC address is detected on the port after a endpoint has authenticated with MAB, a security violation is triggered on the port.
In any event, before deploying Active Directory as your MAC database, you should address several considerations. This is the default behavior. IEEE 802.1X Deployment Scenarios Design Guide: Decide how many endpoints per port you must support and configure the most restrictive host mode. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. MAC Authentication Bypass Deployment Guide When deploying MAB as part of a larger access control solution, Cisco recommends a phased deployment model that gradually deploys identity-based access control to the network. For example, endpoints that are known to be quiet for long periods of time can be assigned a longer inactivity timer value than chatty endpoints. The switch initiates authentication by sending an Extensible Authentication Protocol (EAP) Request-Identity message to the endpoint. Requirements. Note that even though IEEE 802.1X is not enabled on the port, the global authentication, authorization, and accounting (AAA) configuration still uses the dot1x keyword. One access control technique that Cisco provides is called MAC Authentication Bypass (MAB).
If IEEE 802.1X times out (or is not configured) and MAB fails, the port can be moved to the Guest VLAN, a configurable VLAN for which restricted access can be enforced. There are several ways to work around the reinitialization problem. For example, Microsoft IAS and NPS servers cannot query external LDAP databases.
The advantage of this approach over the local Guest VLAN and AuthFail VLAN is that the RADIUS server is aware of and in control of unknown endpoints. MAB uses the MAC address of a device to determine the level of network access to provide. RADIUS accounting is fully compatible with MAB and should be enabled as a best practice. In monitor mode, MAB is performed on every endpoint, but the endpoint's network access is not affected regardless of whether MAB passes or fails.
When assigning MAC addresses to devices, vendors set the first three octets to a specific value called the organizationally unique identifier (OUI).