Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2540
Views
0
Helpful
4
Replies

802.1x authentication with mac address

jvalin__s
Level 1
Level 1

‎11-29-2009 05:37 AM - edited ‎03-10-2019 04:49 PM

Hi guys,

there is a strange requirement from one of our customer,

they want us to do 802.1x with mac address authentication and they dont want the pop-ups which ask

for username, password and domain.

is it possible??

can i avoid popping up the username password with 802.1x and that too with mac address???

Any help would be greatly appreciated

Thanks

Jvalin

Labels:
0 Helpful
4 Replies 4

kush.sri2001
Level 1
Level 1

‎11-30-2009 08:55 PM

Hi,

The feature which you are looking for is possible in case of wired 802.1x. This feature is called as the MAC-Auth Bypass and is done mostly if the client machine is not 802.1x capable. However nowerdays it is used even if the machine is 802.1x capable.In this we enter the MAC address of the machine in the user database e.g. Active Directory. When you connect the client machine to the Switch, if we have MAC-Auth Bypass enabled on the port, it would take the MAC address of the machine as the username without any prompt for username and password.

A windows server admin can easily push a group policy which disables the 802.1x on the client machine and it would only respond to the MAC-Auth Bypass.But first you would have to make sure your switch has the Mac-Auth Bypass in the IOS.

For more information, you can go to http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf

Regards,

Kush

0 Helpful

jvalin__s
Level 1
Level 1
In response to kush.sri2001

‎12-08-2009 12:35 AM

So Kush,

is it necessary for me to configure the commands for 802.1x on the port or only macauth bypass??

0 Helpful

kush.sri2001
Level 1
Level 1
In response to jvalin__s

‎12-09-2009 09:17 PM

Hi,

Yes you would have to configure the 802.1x on the switch and on the port.

To enable the 802.1x globally on the switch, enter the command "dot1x system-auth-control"

On the interface type the following commands:

- dot1x port-control auto.

- dot1x mac-auth-bypass.

Regards,

Kush

0 Helpful

jvalin__s
Level 1
Level 1
In response to kush.sri2001

‎12-10-2009 01:29 AM

kush,

I got your idea,

but the link which you pasted, in that it is being said that MAB will start only when 802.1x timeouts.

also it wud take 90 seconds for the users to get access.

one more sentence has been written that the port on which a user has been authenticated through mac bypass,

if other user tries to connect on the same port it is considered as security violation.

do you have any idea on this??

Regards,

Jvalin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents