- Device Sensor
- AAA Double Authentication Secured by Absolute Timeout
- Login Password Retry Lockout
- Throttling of AAA RADIUS Records
- MSCHAP Version 2
- MAC Authentication Bypass
- Standalone MAB Support
- Configuring Accounting
- AAA-SERVER-MIB Set Operation
- Message Banners for AAA Authentication
- RADIUS Change of Authorization
- TACACS+ over IPv6
- Finding Feature Information
- Prerequisites for Configuring MAC Authentication Bypass
- Information About Configuring MAC Authentication Bypass
- How to Configure MAC Authentication Bypass
- Configuration Examples for MAC Authentication Bypass
- Additional References
- Feature Information for MAC Authentication Bypass
MAC Authentication Bypass
The MAC Authentication Bypass feature is a MAC-address-based authentication mechanism that allows clients in a network to integrate with the Cisco Identity Based Networking Services (IBNS) and Network Admission Control (NAC) strategy using the client MAC address. The MAC Authentication Bypass feature is applicable to the following network environments:
- Finding Feature Information
- Prerequisites for Configuring MAC Authentication Bypass
- Information About Configuring MAC Authentication Bypass
- How to Configure MAC Authentication Bypass
- Configuration Examples for MAC Authentication Bypass
- Additional References
- Feature Information for MAC Authentication Bypass
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Configuring MAC Authentication Bypass
IEEE 802.1x—Port-Based Network Access Control
You should understand the concepts of port-based network access control and have an understanding of how to configure port-based network access control on your Cisco platform. For more information, see the Securing User Services Configuration Guide Library.
RADIUS and ACLs
You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs). For more information, see the documentation for your Cisco platform and the Securing User Services Configuration Guide Library.
The device must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS). For more information, see the User Guide for Secure ACS Appliance 3.2.
Information About Configuring MAC Authentication Bypass
Overview of the Cisco IOS Auth Manager
The capabilities of devices connecting to a given network can be different, thus requiring that the network support different authentication methods and authorization policies. The Cisco IOS Auth Manager handles network authentication requests and enforces authorization policies regardless of authentication method. The Auth Manager maintains operational data for all port-based network connection attempts, authentications, authorizations, and disconnections and, as such, serves as a session manager.
The possible states for Auth Manager sessions are as follows:
Idle—In the idle state, the authentication session has been initialized, but no methods have yet been run. This is an intermediate state.
Running—A method is currently running. This is an intermediate state.
Authc Success—The authentication method has run successfully. This is an intermediate state.
Authc Failed—The authentication method has failed. This is an intermediate state.
Authz Success—All features have been successfully applied for this session. This is a terminal state.
Authz Failed—At least one feature has failed to be applied for this session. This is a terminal state.
No methods—There were no results for this session. This is a terminal state.
How to Configure MAC Authentication Bypass
- Enabling MAC Authentication Bypass
- Enabling Reauthentication on a Port
- Specifying the Security Violation Mode
Enabling MAC Authentication Bypass
Perform this task to enable the MAC Authentication Bypass feature on an 802.1X port.
1.
enable
2.
configure
terminal
3.
interface
type
slot
/
port
4.
mab
5.
end
6.
show
authentication
sessions
interface
type
slot
/
port
details
DETAILED STEPS
Enabling Reauthentication on a Port
By default, ports are not automatically reauthenticated. You can enable automatic reauthentication and specify how often reauthentication attempts are made.
1.
enable
2.
configure
terminal
3.
interface
type
slot
/
port
4.
switchport
5.
switchport
mode
access
6.
authentication
port-control
auto
7.
mab
[eap]
8.
authentication
periodic
9.
authentication
timer
reauthenticate
{seconds |
server}
10.
end
DETAILED STEPS
Specifying the Security Violation Mode
When there is a security violation on a port, the port can be shut down or traffic can be restricted. By default, the port is shut down. You can configure the period of time for which the port is shut down.
1.
enable
2.
configure
terminal
3.
interface
type
slot
/
port
4.
switchport
5.
switchport
mode
access
6.
authentication
port-control
auto
7.
mab
[eap]
8.
authentication
violation
{restrict |
shutdown}
9.
authentication
timer
restart
seconds
10.
end
DETAILED STEPS
Configuration Examples for MAC Authentication Bypass
Example: MAC Authentication Bypass Configuration
In the following example, the mab command has been configured to enable the MAC Authorization Bypass (MAB) feature on the specified interface. The optional show authentication sessions command has been enabled to display the interface configuration and the authentication instances on the interface.
Device> enable Device# configure terminal Device(config)# interface GigabitEthernet 1/2/1 Device(config-if)# mab Device(config-if)# end Device# show authentication sessions interface GigabitEthernet 1/2/1 details
Additional References
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
Authentication commands |
Cisco IOS Security Command Reference |
|
IEEE 802.1x—Flexible Authentication |
Securing User Services Configuration Library |
MIBs
|
MIB |
MIBs Link |
|---|---|
|
To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
|
RFC |
Title |
|---|---|
|
RFC 3580 |
IEEE 802.1x Remote Authentication Dial In User Service (RADIUS) |
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for MAC Authentication Bypass
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
MAC Authentication Bypass (MAB) |
Cisco IOS XE 3.2SE Cisco IOS XE 3.3SE Cisco IOS XE 3.5E Cisco IOS XE Release 3.6E |
The MAC Authentication Bypass feature is a MAC-address-based authentication mechanism that allows clients in a network to integrate with the Cisco IBNS and NAC strategy using the client MAC address. In Cisco IOS XE Release 3.6E, this feature is supported on Cisco Catalyst 3850 Series Switches. The following commands were introduced or modified: dot1x mac-auth-bypass, show dot1x interface. |
Feedback