Post

Cisco ISE Dot1x & MAB

Posted
By Sena Perdiana 2 min read

Cisco Identity Services Engine (ISE) :

  • Dot1x (802.1x) is a network access control protocol that uses EAP (Extensible Authentication Protocol) to authenticate devices at the network edge by verifying user credentials against a RADIUS server before granting access.
  • MAB (MAC Authentication Bypass) is a fallback mechanism for non-802.1x devices, using the device’s MAC address to authenticate and grant network access via a RADIUS server when 802.1x is not supported.

Here’s the topology for this lab

x


Preparation

First on Administration » Network Devices, add the switch-1 as a Network Device with RADIUS Authentication enabled

x


Next on Administration » Identities, create an Internal User used for dot1x authentication

x


After that, on Work Center » Guest Access » Identities, add the client’s MAC Address, this will be used for MAB authentication

x

x


The added MAC Address can be found on Identity Groups

x


Configuring MAB

On Policy » Policy Sets, create a new Policy Sets that captures all RADIUS authentication

x


Next on the Authentication Policy, create a rule to capture all MAB authentication

x


Then on Authorization Policy, add a rule to permit network access if authentication passed

x


MAB Configuration on NAD

Configure the switch to use MAB as the primary order of authentication

x

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

aaa new-model
aaa authentication dot1x default group radius
radius server host
address ipv4 198.18.134.31
key helena
exit

dot1x system-auth-control

int eth0/2
switchport host
authentication port-control auto
authentication order mab dot1x
dot1x pae authe
mab
exit


Test the radius server to make sure the connection is up and running

x


The successful test log can be seen on ISE

x


MAB Testing

On the Client PC, enable the Wired Autoconfig service

x


And on the Switch, we can see the client has successfully done the MAB authentication

x


And the RADIUS Live Logs shows the successful auth

x


And here’s the detail of the logs

x


Configuring Dot1x

On the Policy Sets, lets add a new authentication rule for Dot1x

x


And on the switch, switch the order so dot1x is used first

x


Dot1x Testing

On Client PC, configure the Dot1x Authentication on the NIC Adapter by supplying username and password

x


And after the pc successfully authenticated, we can see on the switch the method has changed to dot1x

x


The RADIUS Live Logs shows the successful dot1x authentication

x

x


Testing MAB Failover

Now lets test the MAB failover if the dot1x fails, to do that we’ll supply an incorrect credential

x


Here on RADIUS Live Logs we can see that it tried Dot1x first but failed, then proceed with MAB

x


On the client, even though the Dot1x Authentication failed we can still access the network thanks to MAB

x


Security, Cisco Identity Service Engine (ISE)
ISE
This post is licensed under CC BY 4.0 by the author.