MAC Authentication Bypass

The MAC Authentication Bypass feature is a MAC-address-based authentication mechanism that allows clients in a network to integrate with the Cisco Identity Based Networking Services (IBNS) and Network Admission Control (NAC) strategy using the client MAC address. The MAC Authentication Bypass feature is applicable to the following network environments:

  • Network environments in which a supplicant code is not available for a given client platform.

  • Network environments in which the end client configuration is not under administrative control, that is, the IEEE 802.1X requests are not supported on these networks.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Configuring MAC Authentication Bypass

IEEE 802.1x—Port-Based Network Access Control

You should understand the concepts of port-based network access control and have an understanding of how to configure port-based network access control on your Cisco platform. For more information, see the Securing User Services Configuration Guide Library.

RADIUS and ACLs

You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs). For more information, see the documentation for your Cisco platform and the Securing User Services Configuration Guide Library.

The device must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS). For more information, see the User Guide for Secure ACS Appliance 3.2.

Information About Configuring MAC Authentication Bypass

Overview of the Cisco IOS Auth Manager

The capabilities of devices connecting to a given network can be different, thus requiring that the network support different authentication methods and authorization policies. The Cisco IOS Auth Manager handles network authentication requests and enforces authorization policies regardless of authentication method. The Auth Manager maintains operational data for all port-based network connection attempts, authentications, authorizations, and disconnections and, as such, serves as a session manager.

The possible states for Auth Manager sessions are as follows:

  • Idle—In the idle state, the authentication session has been initialized, but no methods have yet been run. This is an intermediate state.

  • Running—A method is currently running. This is an intermediate state.

  • Authc Success—The authentication method has run successfully. This is an intermediate state.

  • Authc Failed—The authentication method has failed. This is an intermediate state.

  • Authz Success—All features have been successfully applied for this session. This is a terminal state.

  • Authz Failed—At least one feature has failed to be applied for this session. This is a terminal state.

  • No methods—There were no results for this session. This is a terminal state.

How to Configure MAC Authentication Bypass

Enabling MAC Authentication Bypass

Perform this task to enable the MAC Authentication Bypass feature on an 802.1X port.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    interface type slot / port

    4.    mab

    5.    end

    6.    show authentication sessions interface type slot / port details


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example: 
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example: 
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 interface type slot / port


    Example: 
    Device(config)# interface Gigabitethernet 1/2/1
     

    Enters interface configuration mode.

     
    Step 4 mab


    Example: 
    Device(config-if)# mab
     

    Enables MAB.

     
    Step 5 end


    Example: 
    Device(config-if)# end
     

    Returns to privileged EXEC mode.

     
    Step 6 show authentication sessions interface type slot / port details


    Example: 
    Device# show authentication session interface Gigabitethernet 1/2/1 details
     

    Displays the interface configuration and the authenticator instances on the interface.

     

    Enabling Reauthentication on a Port

    By default, ports are not automatically reauthenticated. You can enable automatic reauthentication and specify how often reauthentication attempts are made.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    interface type slot / port

      4.    switchport

      5.    switchport mode access

      6.    authentication port-control auto

      7.    mab [eap]

      8.    authentication periodic

      9.    authentication timer reauthenticate {seconds | server}

      10.    end


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example: 
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example: 
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 interface type slot / port


      Example: 
      Device(config)# interface Gigabitethernet 1/2/1
       

      Enters interface configuration mode.

       
      Step 4 switchport


      Example: 
      Device(config-if)# switchport
       

      Places interface in Layer 2 switched mode.

       
      Step 5 switchport mode access


      Example: 
      Device(config-if)# switchport mode access
       

      Sets the interface type as a nontrunking, nontagged single VLAN Layer 2 interface.

       
      Step 6 authentication port-control auto


      Example: 
      Device(config-if)# authentication port-control auto
       

      Configures the authorization state of the port.

       
      Step 7 mab [eap]


      Example: 
      Device(config-if)# mab
       

      Enables MAB.

       
      Step 8 authentication periodic


      Example: 
      Device(config-if)# authentication periodic
       

      Enables reauthentication.

       
      Step 9 authentication timer reauthenticate {seconds | server}


      Example: 
      Device(config-if)# authentication timer reauthenticate 900
       

      Configures the time, in seconds, between reauthentication attempts.

       
      Step 10 end


      Example: 
      Device(config-if)# end
       

      Exits interface configuration mode and returns to privileged EXEC mode.

       

      Specifying the Security Violation Mode

      When there is a security violation on a port, the port can be shut down or traffic can be restricted. By default, the port is shut down. You can configure the period of time for which the port is shut down.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    interface type slot / port

        4.    switchport

        5.    switchport mode access

        6.    authentication port-control auto

        7.    mab [eap]

        8.    authentication violation {restrict | shutdown}

        9.    authentication timer restart seconds

        10.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example: 
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 configure terminal


        Example: 
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 interface type slot / port


        Example: 
        Device(config)# interface Gigabitethernet 1/2/1
         

        Enters interface configuration mode.

         
        Step 4 switchport


        Example: 
        Device(config-if)# switchport
         

        Places interface in Layer 2 switched mode.

         
        Step 5 switchport mode access


        Example: 
        Device(config-if)# switchport mode access
         

        Sets the interface type as a nontrunking, nontagged single VLAN Layer 2 interface.

         
        Step 6 authentication port-control auto


        Example: 
        Device(config-if)# authentication port-control auto
         

        Configures the authorization state of the port.

         
        Step 7 mab [eap]


        Example: 
        Device(config-if)# mab
         

        Enables MAB.

         
        Step 8 authentication violation {restrict | shutdown}


        Example: 
        Device(config-if)# authentication violation shutdown
         

        Configures the action to be taken when a security violation occurs on the port.

         
        Step 9 authentication timer restart seconds


        Example: 
        Device(config-if)# authentication timer restart 30
         

        Configures the period of time, in seconds, after which an attempt is made to authenticate an unauthorized port.

         
        Step 10 end


        Example: 
        Device(config-if)# end
         

        Exits interface configuration mode and returns to privileged EXEC mode.

         

        Configuration Examples for MAC Authentication Bypass

        Example: MAC Authentication Bypass Configuration

        In the following example, the mab command has been configured to enable the MAC Authorization Bypass (MAB) feature on the specified interface. The optional show authentication sessions command has been enabled to display the interface configuration and the authentication instances on the interface. 

        Device> enable
Device# configure terminal
Device(config)# interface GigabitEthernet 1/2/1
Device(config-if)# mab
Device(config-if)# end
Device# show authentication sessions interface GigabitEthernet 1/2/1 details

        Additional References

        Related Documents

        Related Topic

        Document Title

        Cisco IOS commands

        Cisco IOS Master Command List, All Releases

        Authentication commands

        Cisco IOS Security Command Reference

        IEEE 802.1x—Flexible Authentication

        Securing User Services Configuration Library

        MIBs

        MIB

        MIBs Link

        • CISCO-AUTH-FRAMEWORK-MIB

        • CISCO-MAC-AUTH-BYPASS-MIB

        • CISCO-PAE-MIB

        • IEEE8021-PAE-MIB

        To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL:

        http:/​/​www.cisco.com/​go/​mibs

        RFCs

        RFC

        Title

        RFC 3580

        IEEE 802.1x Remote Authentication Dial In User Service (RADIUS)

        Technical Assistance

        Description

        Link

        The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

        http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

        Feature Information for MAC Authentication Bypass

        The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to . An account on Cisco.com is not required.
        Table 1 Feature Information for MAC Authentication Bypass

        Feature Name

        Releases

        Feature Information

        MAC Authentication Bypass (MAB)

        Cisco IOS XE 3.2SE

        Cisco IOS XE 3.3SE

        Cisco IOS XE 3.5E

        Cisco IOS XE Release 3.6E

        The MAC Authentication Bypass feature is a MAC-address-based authentication mechanism that allows clients in a network to integrate with the Cisco IBNS and NAC strategy using the client MAC address.

        In Cisco IOS XE Release 3.2SE, this feature was supported on the following platforms:

        • Catalyst 3850 Series Switches

        • Cisco 5760 Wireless LAN Controller

        In Cisco IOS XE Release 3.3SE, this feature was supported on the following platforms:

        • Catalyst 3650 Series Switches

        In Cisco IOS XE Release 3.6E, this feature is supported on Cisco Catalyst 3850 Series Switches.

        The following commands were introduced or modified: dot1x mac-auth-bypass, show dot1x interface.