Authentication authorization and accounting configuration guide, cisco ios release 12.4 – configuring mac authentication bypass [support]
This feature grants network access to devices based on MAC address regardless of 802.1x capability or credentials.
The following commands were introduced or modified: authenticationperiodic, authenticationport-control,authenticationtimerinactivity, authenticationtimerreauthenticate, authenticationtimerrestart,authenticationviolation, debugauthentication, mab,showauthenticationinterface, showmab, showauthenticationregistrations, showauthenticationsessions.
Configuration examples for configuring mac authentication bypass
This section contains the following example:
•Example: Standalone MAB Configuration
Contents
•Prerequisites for Configuring MAC Authentication Bypass •Information About Configuring MAC Authentication Bypass •How to Configure Configuring MAC Authentication Bypass •Configuration Examples for Configuring MAC Authentication Bypass •Additional References •Feature Information for Configuring MAC Authentication Bypass
Enabling reauthentication on a port
By default, ports are not automatically reauthenticated. You can enable automatic reauthentication and specify how often reauthentication attempts are made.
Example: standalone mab configuration
The following example shows how to configure standalone MAB on a port. In this example, the client is reauthenticated every 1200 seconds and the connection is dropped after 600 seconds of inactivity.
enable
configure terminal
interface GigabitEthernet2/1
switchport
switchport mode access
switchport access vlan 2
authentication port-control auto
mab
authentication violation shutdown
authentication timer restart 30
authentication periodic
authentication timer reauthenticate 1200
authentication timer inactivity 600
Feature information for configuring mac authentication bypass
Table 1 lists the features in this module and provides links to specific configuration information.
Finding feature information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the “Feature Information for Configuring MAC Authentication Bypass” section.
How to configure configuring mac authentication bypass
This section contains the following tasks:
•Enabling MAC Authentication Bypass •Enabling Standalone MAB •Enabling Reauthentication on a Port •Specifying the Security Violation Mode
Information about configuring mac authentication bypass
•Overview of the Cisco IOS Auth Manager •Standalone MAB
Overview of the cisco ios auth manager
The capabilities of devices connecting to a given network can be different, thus requiring that the network support different authentication methods and authorization policies. The Cisco IOS Auth Manager handles network authentication requests and enforces authorization policies regardless of authentication method.
The possible states for Auth Manager sessions are as follows:
•
Prerequisites
Before you can configure standalone MAB, the switch must be connected to a Cisco Secure ACS server and RADIUS authentication, authorization, and accounting (AAA) must be configured.
Prerequisites for configuring mac authentication bypass
IEEE 802.1x—Port-Based Network Access Control
Restrictions
Standalone MAB can be configured on switched ports only—it cannot be configured on routed ports.
Security configuration guide, cisco ios release 15.2(7)ex (catalyst 2960-l switches) – mac authentication bypass [support]
A MAC Authentication Bypass (MAB) operation involves authentication using RADIUS Access-Request packets with both the username
and password attributes. By default, the username and the password values are the same and contain the MAC address. The Configurable
MAB Username and Password feature enables you to configure both the username and the password attributes in the following
scenarios:
The Configurable MAB Username and Password feature allows interoperability between the Cisco IOS Authentication Manager and
the existing MAC databases and RADIUS servers. The password is a global password and hence is the same for all MAB authentications
and interfaces. This password is also synchronized across all supervisor devices to achieve high availability.
If the password is not provided or configured, the password uses the same value as the username. The table below describes
the formatting of the username and the password:
MAC Address | Username Format (Group Size, Separator) | Username | Password Configured | Password Created |
---|---|---|---|---|
08002b8619de | (1, 🙂 (1, -) (1, .) | 0:8:0:0:2:b:8:6:1:9:d:e 0-8-0-0-2-b-8-6-1-9-d-e 0.8.0.0.2.b.8.6.1.9.d.e | None | 0:8:0:0:2:b:8:6:1:9:d:e 0-8-0-0-2-b-8-6-1-9-d-e 0.8.0.0.2.b.8.6.1.9.d.e |
08002b8619de | (1, 🙂 (1, -) (1, .) | 0:8:0:0:2:b:8:6:1:9:d:e 0-8-0-0-2-b-8-6-1-9-d-e 0.8.0.0.2.b.8.6.1.9.d.e | Password | Password |
08002b8619de | (2, 🙂 (2, -) (2, .) | 08:00:2b:86:19:de 08-00-2b-86-19-de 08.00.2b.86.19.de | None | 08:00:2b:86:19:de 08-00-2b-86-19-de 08.00.2b.86.19.de |
08002b8619de | (2, 🙂 (2, -) (2, .) | 08:00:2b:86:19:de 08-00-2b-86-19-de 08.00.2b.86.19.de | Password | Password |
08002b8619de | (4, 🙂 (4, -) (4, .) | 0800:2b86:19de 0800-2b86-19de 0800.2b86.19de | None | 0800:2b86:19de 0800-2b86-19de 0800.2b86.19de |
08002b8619de | (4, 🙂 (4, -) (4, .) | 0800:2b86:19de 0800-2b86-19de 0800.2b86.19de | Password | Password |
08002b8619de | (12, <not applicable>) | 08002b8619de | None | 08002b8619de |
08002b8619de | (12, <not applicable>) | 08002b8619de | Password | Password |
Specifying the security violation mode
When there is a security violation on a port, the port can be shut down or traffic can be restricted. By default, the port is shut down. You can configure the period of time for which the port is shut down.
Summary steps
1. enable 2. configureterminal 3. interface typeslot/port 4. switchport 5. switchportmodeaccess 6. authentication port-control auto 7. mab [eap] 8. authentication violation {restrict | shutdown} 9. authentication timer restart seconds 10. end