Configurable MAB Username and Password

The Configurable MAB Username and Password feature enables you to configure a MAC Authentication Bypass (MAB) username format and password to allow interoperability between the Cisco IOS Authentication Manager and existing MAC databases and RADIUS servers.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About Configurable MAB Username and Password

Overview of the Configurable MAB Username and Password

A MAC Authentication Bypass (MAB) operation involves authentication using RADIUS Access-Request packets with both the username and password attributes. By default, the username and the password values are the same and contain the MAC address. The Configurable MAB Username and Password feature enables you to configure both the username and the password attributes in the following scenarios:

  • To enable MAB for an existing large database that uses formatted username attributes, the username format in the client MAC needs to be configured. Use the mab request format attribute 1 command to configure the username format.

  • Some databases do not accept authentication if the username and password values are the same. In such instances, the password needs to be configured to ensure that the password is different from the username. Use the mab request format attribute 2 command to configure the password.

The Configurable MAB Username and Password feature allows interoperability between the Cisco IOS Authentication Manager and the existing MAC databases and RADIUS servers. The password is a global password and hence is the same for all MAB authentications and interfaces. This password is also synchronized across all supervisor devices to achieve high availability.

If the password is not provided or configured, the password uses the same value as the username. The table below describes the formatting of the username and the password:

MAC Address Username Format (Group Size, Separator) Username Password Configured Password Created
08002b8619de

(1, :)

(1, -)

(1, .)

0:8:0:0:2:b:8:6:1:9:d:e

0-8-0-0-2-b-8-6-1-9-d-e

0.8.0.0.2.b.8.6.1.9.d.e

 None

0:8:0:0:2:b:8:6:1:9:d:e

0-8-0-0-2-b-8-6-1-9-d-e

0.8.0.0.2.b.8.6.1.9.d.e
08002b8619de

(1, :)

(1, -)

(1, .)

0:8:0:0:2:b:8:6:1:9:d:e

0-8-0-0-2-b-8-6-1-9-d-e

0.8.0.0.2.b.8.6.1.9.d.e

 Password Password
08002b8619de

(2, :)

(2, -)

(2, .)

08:00:2b:86:19:de

08-00-2b-86-19-de

08.00.2b.86.19.de

 None

08:00:2b:86:19:de

08-00-2b-86-19-de

08.00.2b.86.19.de
08002b8619de

(2, :)

(2, -)

(2, .)

08:00:2b:86:19:de

08-00-2b-86-19-de

08.00.2b.86.19.de

 Password Password
08002b8619de

(4, :)

(4, -)

(4, .)

0800:2b86:19de

0800-2b86-19de

0800.2b86.19de

 None

0800:2b86:19de

0800-2b86-19de

0800.2b86.19de
08002b8619de

(4, :)

(4, -)

(4, .)

0800:2b86:19de

0800-2b86-19de

0800.2b86.19de

 Password Password
08002b8619de (12, <not applicable>) 08002b8619de None 08002b8619de
08002b8619de (12, <not applicable>) 08002b8619de Password Password

For more information on configuring MAB, see the “Configuring MAC Authentication Bypass” chapter in the Authentication, Authorization, and Accounting Configuration Guide.

How to Configure Configurable MAB Username and Password

Enabling Configurable MAB Username and Password

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    mab request format attribute 1 groupsize {1 | 2 | 4 | 12} separator {- | : | .} [lowercase | uppercase]

    4.    mab request format attribute 2 [0 | 7] password

    5.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example: 
    Device> enable
     
    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example: 
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 mab request format attribute 1 groupsize {1 | 2 | 4 | 12} separator {- | : | .} [lowercase | uppercase]


    Example: 
    Device(config)# mab request format attribute 1 groupsize 2 separator :
     

    Configures the username format for MAB requests.

     
    Step 4 mab request format attribute 2 [0 | 7] password


    Example: 
    Device(config)# mab request format attribute 2 password1
     

    Configures a global password for all MAB requests.

     
    Step 5 end


    Example: 
    Device(config)# end
     

    Returns to privileged EXEC mode.

     

    Configuration Examples for Configurable MAB Username and Password

    Example: Enabling Configurable MAB Username and Password

    The following example shows how to configure the username format and password for MAC Authentication Bypass (MAB). In this example, the username format is configured as a group of 12 hexadecimal digits with no separator and the global password as password1.

    Device> enable
Device# configure terminal
Device(config)# mab request format attribute 1 groupsize 2 separator :
Device(config)# mab request format attribute 2 password1
Device(config)# end

    Additional References for Configurable MAB Username and Password

    Related Documents

    Related Topic

    Document Title

    Cisco IOS commands

    Cisco IOS Master Command List, All Releases

    Security commands

    Configuring MAC Authentication Bypass

    Authentication, Authorization, and Accounting Configuration Guide

    Technical Assistance

    Description Link

    The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

    To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

    Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​support

    Feature Information for Configurable MAB Username and Password

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

    Table 1 Feature Information for Configurable MAB Username and Password

    Feature Name

    Releases

    Feature Information

    Configurable MAB Username and Password

    Cisco IOS 15.2(1)E

    The Configurable MAB Username and Password feature enables you to configure MAC Authentication Bypass (MAB) username format and password to allow interoperability between the Cisco IOS Authentication Manager and existing MAC databases and RADIUS servers.

    The following commands were introduced or modified: mab request format attribute 1, mab request format attribute 2.