Solved: Is this possible: Static MAC Entry skipping 802.1x authentication

justausername · ‎04-17-2024

C1000-24P-4G-L (15.2.7E10)

Like the title suggests this is what I want the switch to do:

Depending on what device I connect I want it to either do the

normal 802.1x authentication (workstation / VLAN 10) by the radius server.

but if it is a device with a static MAC-table entry I want it to skip the 802.1x authentication process and just join vlan 15.

Is this possible on the switch without it leaving to check with the radius server or is this already the wrong way to do this?

I am testing on port g1/0/2 and this is what the port config and the static mac entry looks like:

mac address-table static abcd.abcd.abcd vlan 15 interface GigabitEthernet1/0/2

interface GigabitEthernet1/0/2

switchport trunk allowed vlan 15

switchport trunk native vlan 10

switchport mode trunk

authentication event fail action authorize vlan 999

authentication host-mode multi-auth

authentication port-control auto

dot1x pae authenticator

thomas · ‎04-18-2024

This is why MAB was created - to centrally control static MAC authentication (with a central database) rather than local, distributed, tedious switch and interface specific config updates. You also probably want to change to switchport mode access.

From ISE Secure Wired Access Prescriptive Deployment Guide > Switch Configuration for Low Impact Mode (you may remove the lines about ACLs):

interface GigabitEthernet1/0/1
 description ** Endpoints and Users ** 
 switchport access vlan 100
 switchport mode access
 switchport voice vlan 101
 device-tracking attach-policy IPDT_POLICY
 ip access-group IPV4_PRE_AUTH_ACL in
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 spanning-tree portfast

You may want to watch:

▷ MAC Authentication Bypass (MAB) with ISE 2023-07-20

00:30 Media Access Control (MAC) Addresses by the Byte
02:40 OUI & MAC Formatting
04:39 Network Authentication Options
05:45 Multi-Factor Authentication and IOT
06:14 RADIUS with 802.1X Flow
07:43 RADIUS with MAB Flow
09:15 RADIUS Packet Captures: Wired & Wireless MAB
12:00 ISE Segmentation Options with RADIUS
12:54 ISE MAB Authorization Solutions: Filtering, Profiling, Endpoint Groups, Custom Attributes, CMDBs
15:36 Frequently Used RADIUS Attributes Reference
16:26 ISE Secure Wired Access Deployment Guide for Cisco Catalyst Configuration
18:23 How To Integrate Meraki Networks with ISE
20:07 ISE Policy Set Authentication Default Behavior and Recommended Changes
23:00 ISE Policy Set Examples for MAB
23:34 Demo: ISE MAB Default Authentication Policy Behavior
Note: the MAB Authentication worked because ISE knew the MAC from previous failed auths!
27:03 - the MAB auth worked because the endpoint was known from the previous MAB failures
27:34 - MAB with If-user-not-found: Continue
28:24 ISE Local & Global Exceptions
29:11 MAC Filtering Authorization Rules using MAC_* Operators
30:04 Demo: Local and Global Exceptions
31:53 - ISE Endpoint Identity Groups
32:55 - Add/Remove Endpoints to Identity Groups
33:44 - Override Global Exception with Policy Set Local Exception
35:00 - Random MAC Address Filtering
35:53 - Matching with EQUALS vs MAC_EQUALS using :'s and -'s
37:59 - MAC OUI matching using MAC_STARTS operator
39:01 - MAC_* Operators in Authorization Rules
40:13 Demo: Static Endpoint Groups
41:06 - Endpoint Purging will remove endpoints from Endpoint Identity Groups!
42:39 - Profiling Raspberry Pis
44:58 ISE Endpoint Profiling & Demo
47:36 ISE Endpoint Custom Attributes & Demo
51:56 Configuration Management Database (CMDB) and Demo with iPSKs
56:50 Question: What is the best method to define a policy set? Spoiler: It depends!

View solution in original post

Aref Alsouqi · ‎04-17-2024

I don't think that would work. Both dot1x and MAB should be managed by the RADIUS server because when you configure the switch port for dot1x and MAB the switch will relay any authentication request to the RADIUS server. If you don't configure MAB under the switch port, I believe the switch port won't allow any MAB session on that port. Also, the switch port should be configured in access mode, not in trunk.

MHM Cisco World · ‎04-17-2024

as I know you can

authentication event no-response action authorize vlan vlan-id

MHM

Aref Alsouqi · ‎04-17-2024

Are you referring to IBNS 2? if so, AFAIK you would need to define the authentication method for each class map type as dot1x or MAB.

thomas · ‎04-18-2024

This is why MAB was created - to centrally control static MAC authentication (with a central database) rather than local, distributed, tedious switch and interface specific config updates. You also probably want to change to switchport mode access.

From ISE Secure Wired Access Prescriptive Deployment Guide > Switch Configuration for Low Impact Mode (you may remove the lines about ACLs):

interface GigabitEthernet1/0/1
 description ** Endpoints and Users ** 
 switchport access vlan 100
 switchport mode access
 switchport voice vlan 101
 device-tracking attach-policy IPDT_POLICY
 ip access-group IPV4_PRE_AUTH_ACL in
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session port-control auto
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 spanning-tree portfast

You may want to watch:

▷ MAC Authentication Bypass (MAB) with ISE 2023-07-20

00:30 Media Access Control (MAC) Addresses by the Byte
02:40 OUI & MAC Formatting
04:39 Network Authentication Options
05:45 Multi-Factor Authentication and IOT
06:14 RADIUS with 802.1X Flow
07:43 RADIUS with MAB Flow
09:15 RADIUS Packet Captures: Wired & Wireless MAB
12:00 ISE Segmentation Options with RADIUS
12:54 ISE MAB Authorization Solutions: Filtering, Profiling, Endpoint Groups, Custom Attributes, CMDBs
15:36 Frequently Used RADIUS Attributes Reference
16:26 ISE Secure Wired Access Deployment Guide for Cisco Catalyst Configuration
18:23 How To Integrate Meraki Networks with ISE
20:07 ISE Policy Set Authentication Default Behavior and Recommended Changes
23:00 ISE Policy Set Examples for MAB
23:34 Demo: ISE MAB Default Authentication Policy Behavior
Note: the MAB Authentication worked because ISE knew the MAC from previous failed auths!
27:03 - the MAB auth worked because the endpoint was known from the previous MAB failures
27:34 - MAB with If-user-not-found: Continue
28:24 ISE Local & Global Exceptions
29:11 MAC Filtering Authorization Rules using MAC_* Operators
30:04 Demo: Local and Global Exceptions
31:53 - ISE Endpoint Identity Groups
32:55 - Add/Remove Endpoints to Identity Groups
33:44 - Override Global Exception with Policy Set Local Exception
35:00 - Random MAC Address Filtering
35:53 - Matching with EQUALS vs MAC_EQUALS using :'s and -'s
37:59 - MAC OUI matching using MAC_STARTS operator
39:01 - MAC_* Operators in Authorization Rules
40:13 Demo: Static Endpoint Groups
41:06 - Endpoint Purging will remove endpoints from Endpoint Identity Groups!
42:39 - Profiling Raspberry Pis
44:58 ISE Endpoint Profiling & Demo
47:36 ISE Endpoint Custom Attributes & Demo
51:56 Configuration Management Database (CMDB) and Demo with iPSKs
56:50 Question: What is the best method to define a policy set? Spoiler: It depends!

justausername · ‎04-18-2024

Ok thank you for all the answers!
MAB was on my radar but I thought maybe there was a more direct way to do it.