802.1x with MAB defaulting to MAB?

Unanswered Question
Jun 5th, 2014
User Badges:

Hello,

I have a wlan configured on my 5508 with WPA2/802.1x, and I have my radius server's configured to accept connections from clients using EAP-TLS certificates.  This is working well.

I do however have a couple of devices that do not support EAP-TLS, and some that just don't support any 802.1x configuration.   I enabled mac filtering on the SSID, and expected it to use 802.1x if applicable, and if it fails, then use mac filtering and present the mac address as the username and password to the radius server for authentication.

Is this not how it works?

What I found that happened is it only wanted to use mac filtering for authentication, and not EAP-TLS.

Any suggestions?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Amjad Abdullah Fri, 06/06/2014 - 04:05
User Badges:
  • Red, 2250 points or more

Hi Dan,

 

as per maldehne in the following discussion, the check for the MAC address must be first then if it is not a mac filtering it will then check the EAP:

https://supportforums.cisco.com/discussion/11765316/cisco-acs-53-mac-aut...

 

btw, what is your RADIUS server?

For MAC authentication to succeed you need to check the internal hosts (if you use ACS 5.x and you must have the MAC address of your clients added there.

 

HTH

 

Amjad

 

dan.letkeman Fri, 06/06/2014 - 06:32
User Badges:

So we must add 3000 mac addresses first in order for this to work?  This is an impossible amount of work to manage and maintain.

Can we change it so it does EAP first and then mac address authentication?

The radius server is FreeRadius.

Dan.

Amjad Abdullah Sun, 06/08/2014 - 05:17
User Badges:
  • Red, 2250 points or more

You have to add MAC addresses for devices that does not support EAP only. You don't have to add MAC addresses for all devices.

The scenario maldehne is describing is never tested by me personally. in switch port dot1x authentication, it will go for MAB after dot1x authentication not working. (i.e. after EAP it then tries the MAB). I am still a little bit confused about MAC authentication enabled with a dot1x WLAN. I understand that the client must support EAP and its MAC must be in the RADIUS well. However, maldehne; the TAC engineer is saying that's not the case.

 

If I were you I would try to put two different rules in the radius server; one for EAP and one for MAC auth. first one should be EAP. the devices that do not initiate EAP will not match first rule and will go for the second rule which is the MAC auth. (not sure how that is applicable with freeradius. another test can also be to collect all MAC addresses that do not support EAP and add them to a radius rule where it checks the MAC list and if its within the list it just send access-accept, if not it will direct it for normal EAP authentication.)

 

note that most of the trick is done on the radius server, not on the WLC.

 

HTH

 

Amjad

dan.letkeman Sun, 06/08/2014 - 15:15
User Badges:

This sounds interesting.

I did open up a tac case and they told me that I would have to setup another wlan for devices that did not support 802.1x/EAP.

Do you know if the wlc will send mac authentication or eap authentication information first?

Can this be done with windows radius servers?  Have you done this?

Dan.

Actions

This Discussion

 

 

Trending Topics - Security & Network