MAC-based Authentication with RADIUS

Unanswered Question
Apr 20th, 2008


I want to implement a solution between port security and 802.1x.

I don't want to lock down my ports based on MAC as in port security in a static way and I don't want to use a supplicant as in 802.1x.

Is it possible to configure my switch so that when a new host connects to it, it will contact my RADIUS server for authentication based on the MAC address he saw on that port.

When the MAC is in the RADIUS database it will be granted access to the network and it will be assigned a VLAN, based on what the RADIUS attribute contains.

I am looking arround on the web, nut can not find a solution like this for Cisco...


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Ben Blendeman Sun, 04/20/2008 - 22:51

Thanks, this is realy what I was looking for!!! Damn, it was hard to find if you don't know the exact name of the feature: "mac bypass authentication"

matthewpage Mon, 04/21/2008 - 04:10

Hi Ben

Can i just say there are a lot of unknowns and a lot of tweaking required with this technology. For example the MAB feature is a fail back to 802.1x so you need to play around with the timers to get the MAB to kick in straight away. If you dont then the pc will fail to get a ip address. That is one of a long list of possible issues.

Do you know how pcs you are planning on using this with??


jafrazie Mon, 04/21/2008 - 07:47

Let me try to de-mystify this for you.

1) This serves as a supplemental authentication technique today in the absence of 802.1X on the client machine. In the future (very soon actually) you will be able to enable MAC-Auth thru RADIUS independent from 802.1X.

2) Today, this is based on an 802.1X timeout (ask for 1X identity, no response, then check the MAC). As checking a MAC is much less secure than 1X, this explains why the switch is allowing next to nothing while it's looking for 1X. It can't even learn the MAC of the client, nor should it.

3) After 1X timeout, machine has to transmit traffic for the switch to learn the MAC (remember it cannot learn it while looking for 1X).

4) After 1X has timed out, and a MAC is learned, the MAC is authenticated thru RADIUS.

5) By default, the 802.1X timeout is 90-sec. You can tweak it down to 2-sec.

There is no silver bullet recommendation here, but the easiest is certainly a quick timeout for 802.1X. Today, it's sort of like hiring a security guard for the lobby in your building. Well, what do you do for people that don't have badges (yet)? There's no right answer, and it depends on how much control you need this security guard to have vs. how it impacts your business.

Hope this help a little,

matthewpage Mon, 04/21/2008 - 08:03

Hi Jason

Could you tell me abit more about the the mac-auth through radius?? Like when we should expect that?

Also would you say that MAB would work ok for large deployments like 500+ PCs?

jafrazie Mon, 04/21/2008 - 08:07

Are you wanting to know when it will be available as a standalone authentication method independent from 802.1X?

You can think about MAB as a RADI-ized version of port-security that promotes authentication. The primary thing today is that it accompanies an 802.1X deployment.

Let me know more when you get a chance,

matthewpage Mon, 04/21/2008 - 08:19

Yes would like to know when its going to be a standalone feature.


jafrazie Mon, 04/21/2008 - 08:22

It's actually available today for CatOS on the 6500. For IOS, the first place you'll see it is in on a 6500 in the next major release. I would ask that you contact your local account team for roadmap specifics if that's OK.

matthewpage Mon, 04/21/2008 - 08:27

No problem jason. Im currently working with a college on deploying mac authentication well its more of a hybrid of both and it would be a lot easier to deploy i think as a standalone feature rather than trying to play around with all the dot1x timers.

Another problem i have is trying to get them to buy into cisco as HP switches support mac authentication as standard.

jafrazie Mon, 04/21/2008 - 08:37

Understood. Not counting the 1X timeout, this should run without incident today though. Here's a port config that enables 1X, MAB, along with a 3-sec timeout:

interface GigabitEthernet1/0/11

description client-machine

switchport access vlan 2

switchport mode access

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x timeout tx-period 1

spanning-tree portfast

spanning-tree bpduguard enable

What's gonna happen here is that every time you plug in something not enabled for 1X, the MAB process will kick in 3-sec after the link comes up (i.e after 1X timeout). Once more machines are enabled for 1X, this is flexible to handle it as you may want both techniques enabled anyway.

Hope this helps a little,

matthewpage Mon, 04/21/2008 - 08:46

Thanks jason for the sample config. Looks pretty much the same as to what i have configured.

One other thing what happens if the switch restarts for what ever reason. How does the switch react to this sort of thing? Does it reauth all ports at once?? Havent been able to test this yet.


1cschmidt Tue, 04/22/2008 - 12:26

Hi all,

aside from a possible solution (MAC authentication by RADIUS) we deployed a centralized MAC based authentication solution several times. It is called ARP-Guard by a company called ISL. The communication between the switch (about 16 different vendors incl. Cisco of course ;-)) is based on SNMP.

Based on the MAC address it is possible to "put" the client in a special VLAN. It is possible to autolearn new MAC addresses.

If anybody is interested in special features or functionality or our concepts of deployment, please don't hesitate to contact me.



This Discussion