Securing network access is critical and MAC authentication bypass (MAB) can help. These days, contractors and visitors require access to network resources over the same network as employees, but that means the possibility that unauthorized people or devices will gain access to controlled or confidential information also increases.
One of the solutions is to enable MAB. MAB will use the MAC address of the device to determine the level of the network access to provide. MAB offers visibility and identity-based access control at the network edge of endpoints that do not support IEEE 802.1X.
Other cases where you can use the MAC authentication bypass are:
MAB is the process of a nonauthenticating device (a device without an 802.1X supplicant running on it like network printers, cameras, and sensors) connecting to a network with 802.1X enabled. Enable the MAB option on the port so that the system will use the device MAC address as the user’s name and password for authentication. Once the switch learns the MAC address, it contacts an authentication server (RADIUS) to check if it permits the MAC address.
MAB can operate in two states:
By default, MAB can support only one device (MAC address), and when it detects multiple source MAC addresses, it will trigger a security violation. You can change this default behavior to one of these:
When MAB is enabled on switch port, the switch will forward each new detected MAC address and send it to RADIUS for authentication. Then it will use the MAC address to fill RADIUS attributes (username and password or calling station ID). ISE can authenticate the end device either based upon calling station ID or username and password.
ISE acts differently when the process host lookup is enabled versus disabled:
This can be used to let the switch determine if the end device is 802.1X compatible or not. By default, the switch sends extensible authentication protocol (EAP) over LAN (EAPOL) to the end device every 30 seconds. If the switch does not receive any response for three EAPOL identity requests (total of three missing requests over 90 seconds) then it will assume that the endpoint is not 802.1X supplicant and start MAB. The recommendation is to decrease the default time-out period to make it faster.
1. We must enableaaa then configure the default authentication list as below:
Switch (config)#aaa new-model
Switch (config)#aaa authentication dot1x default group radius
2. Add the RADIUS authentication server along with the key:
Switch (config)#radius server Test
Switch (config)#address ipv4 x.x.x.x auth-port 1812
Switch (config-radius-server)#key test
3. Finally, we configure the switch port. We will have to set the default port control. If we choose force-authorized then the port is automatically authorized. The second option is force-unauthorized then the interface is not authorized. We can automatically set it so the switch can determine if the port is authorized or not.
Switch (config)# interface GigabitEthernet2/1
Switch (config-if)#switchport mode access
Switch (config-if)#authentication port-control auto
Switch (config-if)# mab
You can use a couple of useful commands to give us more details on MAB and the authenticated interfaces:
SW1#show authentication sessions
Interface MAC Address Method Domain Status Session ID Gi2/1 aaaa.bbbb.cccc mab DATA Authz Success 0A38641F0000003500450DCF
Switch # show authentication sessions interface GigabitEthernet2/1 details:
Runnable methods list:
With MAB, we can’t use advance authorization options for ISE like:
*Implementing Dynamic VLANs on the devices that do not have 802.1X supplicant is not recommended.
For more about securing network access and how UncommonX’s XDR platform can benefit your organization, contact our team to request a demo and talk about your specific security needs.