MAC Authentication Bypass
à MAB is used to authenticate non-802.1x capable devices (ex: printers, IP phones).
à MAB is not a secure authentication method compared to other authentication methods because anyone can spoof mac address.
à When MAB is enabled on the switch interface, then the switch will do the following things
i) The switch takes each new mac address and sends it to Radius Server (ISE) for authentication.
ii) Fills Radius Attributes (Username and Password) with MAC address.
iii) Fills Radius Attribute (Calling Station ID) with the MAC address.
à ISE can authenticate MAB devices either based upon Calling Station ID or Username and Password.
à If Process Host Lookup is enabled on ISE then Authentication is done based upon Calling Station ID.
à If Process Host Lookup Is disabled on ISE then Authentication is done based upon username/ password.
à In order to enable Process Host Lookup on ISE (Policy > Policy Elements > Results > Authentication > Allowed Protocols).
à ISE treats differently when the process host lookup is enabled compared to it is disabled.
i) Process Host Lookup is disabled: Then it takes the username and password as MAC address and checks in the Internal User Database.
ii) Process Host Lookup is enabled: Then it takes calling station id as MAC address and checks in the internal endpoints database.
à It is recommended to enable Process Host Lookup in ISE.
Authentication Timeout in 802.1x
-> By using Authentication Timeout Switch knows whether the end device which is connected to an interface is having 802.1x supplicant or not.
-> By default Switch sends EAP request identity messages every 30 seconds to the endpoint, if the switch does not receive the response for three EAP request identity messages ( 90 seconds) then it assumes the host is not having 802.1x supplicant and begins MAB process.
-> It is recommended to change the Authentication timeout period to less value.
MAB limitations
à MAB is not a secure method compared to other authentication methods so that MAB device network access should be restricted.
à MAB does support advanced authorization features of ISE, such as
i) Downloadable ACL’s
ii) Dynamic VLAN
iii) URL redirection
iv) Secure Group Tags ( SGT)
v) Smart Port Macros
à It is not recommended to implement Dynamic VLANs on the devices that do not have 802.1x supplicant.
MAB Implementation
à MAB implementation is done in two steps
i) Configuration on Network Access Device ( Ex: Switch)
ii) Configuration on Radius Server ( Ex: ISE)
Note: No configuration is required on supplicant compared to 802.1x authentication.
à Configuration on Network Access is divided into two parts
i) Configuration on Network Access Device to communicate with Radius Server
ii) Configuration on Network Access Device for Supplicant
Configuration on Network Access Device to communicate with Radius Server
i) Enable AAA on the switch
Switch (config)# aaa new-model
ii) Configure Authentication protocol to be used on the switch ( either Radius or Tacacs+)
Switch (config) # aaa authentication dot1x default group radius
iii) Configure Radius Server IP address and Secret key for encryption between network device and radius server
Switch(config)# radius-server host 192.168.1.1 key cciesec
iv) Configure Source IP address on the switch for ISE ( Optional but recommended)
Switch(config)# ip radius source-interface loo0
Note: We can also configure Authorization and Accounting protocols need to be used, but in this case I am not using it.
Configuration of Network Access Device for Supplicant
i) Enable Mab on the interface where the end device is connected
Switch (config)# interface fa0/1
Switch (config-if)# mab
ii) Enable prompting of authentication for the End device.
Switch(config-if)# authentication port-control auto
à Configuration on Radius Server is divided into three parts
i) Configure Network Device so that it can communicate with the switch.
ii) Configure MAC address in identity database.
iii) Configure one authentication and authorization policy that matches with MAB Condition.
Configure Network Device so that it can communicate with switch
à To add Network Access Device in ISE, navigate to Administration> Network Resources > Network Devices > Add
Note: The important thing is shared the secret need to be same on ISE and Switch then only Switch can communicate with ISE.
Configure MAC address in identity database
-> To add MAC address in ISE database, navigate to Administration > Identities > End Points > Add
Configure one authentication and authorization policy that matches with MAB Condition
à To configure Authentication Policy, navigate to Policy > Authentication > Authentication Policy
à To configure Authorization Policy, navigate to Policy > Authorization > Authorization Policy
Super Duper Explanation
ReplyDelete