MAC Authentication Bypass (MAB)

This topic is to discuss the following lesson:

Hi,
Is it possible to dot1x authentication using freeradius ?
Thanks

Hello Sims

Dot1x port-based authentication by definition uses an authentication server such as RADIUS. FreeRADIUS is such a server as well, so yes, it can be used for authentication of dot1x. Take a look at the following link from FreeRADIUS. It refers to the use of 802.1x for WiFi but the concept is the same.

https://wiki.freeradius.org/guide/Enterprise-WiFi#ieee-802-1x-and-radius-authentication

I hope this has been helpful!

Laz

1 Like

Hi,
I’m trying to dynamically assign vlan with freeradius and it’s not working. Do you guys have some tutorial to help with this?
Thanks

Hello Hilton

There’s currently no lab that includes the assignment of a VLAN using a RADIUS server. The closest thing is the following lab which uses a RADIUS server for 802.3X authentication.

However, you can find information about such a configuration at the following Cisco documentation.

I hope this has been helpful!

Laz

I was wondering if there is a how-to on deploying 802.1x Wired using certificates? I’ve been searching and looking for hours but just can’t get it to work. The MAB how-to is great and got my environment up and running very quickly. But now we also want 802.1x for Wired installations.

RADIUS Server: CentOS7 with FreeRadius;
Client: Windows 10 Pro
Switch: Catalyst 9300

  • Configured the switch as a client and FreeRadius as the radius server, for MAB based authentication is works flawlessly no problems there;

But how can I get 802.1x working using certificates only? (no username/password should be needed), I basically want to plug in my workstations and Windows should try to authenticate using certifications. None of the official documentation helps and I’m lost on which settings to enable, which encryption/authentication method to use, what certs to import where etc.

Hello Burak

The following lesson describes how you can configure 802.1x for wired connections on a Cisco switch using a RADIUS server and certificates.


Take a look and if you have any further questions, let us know!

I hope this has been helpful!

Laz

Hi,
What is Radius Change of Authorization
Thanks

Hello Sims

RADIUS Change of Authorization is, according to Cisco, is a feature that:

…provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated. When a policy changes for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server such as a Cisco Secure Access Control Server (ACS) to reinitialize authentication and apply the new policy.

You can find out more information about it at the following Cisco documentation:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_aaa/configuration/15-sy/sec-usr-aaa-15-sy-book/sec-rad-coa.html#:~:text=The%20RADIUS%20Change%20of%20Authorization,session%20after%20it%20is%20authenticated.

I hope this has been helpful!

Laz

1 Like

Multi-host mode: the switch allows multiple source MAC addresses. Only the first source MAC address is authenticated, all other source MAC addresses are automatically permitted.

Is it secure use this ?
Have we to use the other switch’s mac address as the permitted mac address?

Hello Vanilson

You are correct, this is not a very secure option. The best thing to do is to if you have multiple source MAC addresses is to use multi-authentication host mode where each source MAC is separately authenticated.

I’m not sure I can think of a situation where multi-host mode is useful. I’m sure it was created to accommodate some specific scenario, but I can’t think of what that could be. Even Cisco documentation recommends that you don’t use this mode, and use multi-authentication host mode instead.

I hope this has been helpful!

Laz

1 Like

Hi
What is the difference between port security and MAB.
When you use port security on a switch you can learn Mac address.

Thanks for you answer

regards

Arlette

Hello Veronese

Port security is a feature that can allow or disallow traffic on a specific port. This is based on the source MAC address of the frames coming into the port. Port security causes the port to react in specific ways depending upon the situation, such as shutting down the interface completely, or by simply logging a frame that has a non authorized MAC address. All of the configuration takes place on the port itself.

MAB is a feature that has more options than port security in the fact that it can connect to an eternal (such as RADIUS) to determine if a MAC address is permitted or not. This allows centralized management for multiple ports on multiple devices. MAB is a much more scalable solution that provides many more options.

Alternatively, 802.1X is also scalable and can be managed centrally, but requires that the hosts connecting support the standard.

I hope this has been helpful!

Laz

1 Like