Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco Solution similar to dot1x

Does Cisco have a user authentication solution (like MAC-address based VLANs) that does not use the dot1x methodology?

I mentioned a user-authentication scheme using dot1x and he jabber-jawed about a Cisco solution that does not require a dot1x agent to run on the client machine.

Which Cisco solution offers MAC-address-based authentication and VLAN placement that doesnt use dot1x and does nto require an agent to nbe running on the client machine?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco Solution similar to dot1x

Hello,

In a very general approach, a RADIUS server assigning VLANs dynamically based on stations' MAC addresses is possible if the RADIUS server actually gets to know the client's MAC address. That can happen via two ways: either the MAC is used as the username, or it is included as an additional attribute of a certain type in the Access-Request message sent from a switch towards the RADIUS server. A RADIUS server can provide its answer based on any attribute in the Access-Request message, be it a username or a different field that is "parseable" and comparable to a predefined template value (actually, this depends on particular RADIUS implementation what matching capabilities it provides you with - the FreeRADIUS is very flexible in this aspect).

The ramifications of this should be clear. In usual 802.1X environments, the Access-Request is sent from a switch as a result of EAPOL frame exchange detected on a switchport. If no EAPOL exchange takes place, no communication with the RADIUS server will be performed, so no authentication/DVLAN assignment can be done. The MAB circumvents this by simply waiting for any frame arriving from a connected station, learning the source MAC and constructing an Access-Request message without performing any EAPOL handshake with the PC, using the learned MAC as the username. Thus, it is not an added intelligence of a RADIUS server nor a client's issue; it is solely an intelligence added on the switch (the authenticator). Without a switch able to do this "trick", the RADIUS environment falls back to the EAPOL exchange between the switch and the station to exchange the credentials information.

A different vendor implementation must in essence do a very similar procedure - wait for a frame to arrive, learn the source MAC, and upon learning it, construct an Access-Request message and somehow use the MAC address in this message - either as a username or some other (possible vendor-specific) attribute. The RADIUS server itself is actually not responsible for this - it merely receives the Access-Request message, processes it and responds accordingly. It must be the added intelligence in the switch (the authenticator) that actually acts on behalf of client's MAC address without performing any EAPOL message exchange.

I know I have not given you any definitive answer but I am afraid that there is none. Really, this entire issue depends on whether a particular switch is so intelligent that it can use the client's MAC address without needing the EAP/credentials exchange to talk to the RADIUS server in order to authenticate the station.

Best regards,

Peter

21 REPLIES
Hall of Fame Super Bronze

Re: Cisco Solution similar to dot1x

I'm not aware of any solution that is similar to dot1x - perhaps 3rd party solution?

With that said, all solutions need some kind of client at the workstation.

New Member

Re: Cisco Solution similar to dot1x

Edison:

According to the client, they are using a Cisco product (I believe it is ACS 5.0).

He described user authentication accordingly:

-- client plugs into switch and automatically broadcasts its MAC address (why would a client machine do this automatically? DHCP?)

-- the switch snags that address and reaches out to a backend authentication server

-- the switch receives a successful authentication response from the server and allows the user into the network


According to him, no agent is necessary on the client machine.

Any ideas now?

Thanks

Hall of Fame Super Blue

Re: Cisco Solution similar to dot1x

ex-engineer wrote:

Edison:

According to the client, they are using a Cisco product (I believe it is ACS 5.0).

He described user authentication accordingly:

client plugs into switch and automatically broadcasts its MAC address (why would a client machine do this automatically? DHCP?)

the switch snags that address and reaches out to a backend authentication server

the switch receives a successful authentication response from the server and allows the user into the network


According to him, no agent is necessary on the client machine.

Any ideas now?

Thanks

This sounds a little like VMPS where you store a copy of all the machines mac-addresses and when the machine boots up the switch sends the mac-address to the VMPS server and if the server has the mac-address it tells the switch which vlan to place the machine into.

But VMPS is -

a) old - only available on CatOS as far as i know

b) used primarily not to authenticate the machine but for dynamic vlan assignment

c) does not need or use an ACS server

so like Edison i'm not aware of what they are referring to.

Jon

New Member

Re: Cisco Solution similar to dot1x

Jon, I think youre right. Besides telling me that they are using ACS 5.0, he did mention a "policy server." And the description he gave sounds exactly like VMPS.

VMPS does not require a client agent. Once the client is plugged in, it will send out frames with its own MAC address (I guess because of DHCP  or some other client traffic) as the source address, of course, and the switch will take note of it and send it to the VMPS server for DVLAN assignment.

According to this document, it is supported on IOS after a certain version....

http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/release12.0_5_xp/eeswcfg/mascvmps.html

So thats resolved.

So now I have three questions as corollaries: (Sorry to be a pain in the @ss)

1) Is VMPS still available and supported today?

2) Has Cisco abandoned this solution in favor of the dot1x industry standard in which an agent MUST exist on the client?

3) If Cisco is now offering dot1x solutions to DVLAN assigment (MAC-based), is it offering an appliance to act as the RADIUS server or does one have to deploy 3rd party RADIUS software and load it on a generic x86 server?

Thanks very much!

Cisco Employee

Re: Cisco Solution similar to dot1x

Jon,

Absolutely correct, this is VMPS. Regarding the VMPS, at least the client functionality is apparently happily supported also on the most recent IOS versions for 2960/3560 switches (I assume the same goes for higher Catalysts platforms as well). There are also open-source implementations of the VMPS server for Linux available, one of them being FreeRadius.

Best regards,

Peter

New Member

Re: Cisco Solution similar to dot1x

Peter, thank you for your input.

Let me see if I understand what you're saying.

VMPS is indeed still available and supported? If so, on which platforms?

And are you saying that a 3rd party version of VMPS is also available? If so, how does it work? You would still need a Cisco switch to act as the client, correct? Its not as though switches other than Cisco support VMPS, right?

I was under the impression that Cisco has pretty much abandoned VMPS as a solution and is now offering a suite of network access control solutions under the TrustSec umbrella that now leverage dot1x. What do you know about that?

Hall of Fame Super Blue

Re: Cisco Solution similar to dot1x

ex-engineer wrote:

Peter, thank you for your input.

Let me see if I understand what you're saying.

VMPS is indeed still available and supported? If so, on which platforms?

And are you saying that a 3rd party version of VMPS is also available? If so, how does it work? You would still need a Cisco switch to act as the client, correct? Its not as though switches other than Cisco support VMPS, right?

I was under the impression that Cisco has pretty much abandoned VMPS as a solution and is now offering a suite of network access control solutions under the TrustSec umbrella that now leverage dot1x. What do you know about that?

VMPS client functionality ie. the switch being able to forward the request onto a VMPS server is still supported on Cisco IOS, although whether or not it is on all switches i would need to check.

The VMPS server functionality has however been discontinued as far as i am aware ie. it was never ported over from CatOS. Peter has confirmed that at least FreeRadius can act as a VMPS server (which i didn't know) but yes you will still need the Cisco switches to be able to forward on the client request to the VMPS server.

Cisco have for some time pushed dot1x as the solution for dynamic vlan assignment as well as authentication etc. so that is i believe their preferred solution. But as you say the client must have a dot1x client whether that be inbuilt into the OS such as Microsoft or a 3rd party add on client.

Jon

Cisco Employee

Re: Cisco Solution similar to dot1x

Hello all,

Jon, thanks for replying. Yes, it seems that the VPMS Server functionality is indeed present only in the CatOS operating system on 4500/6500 switches.

Regarding the 3rd party solutions for the VMPS Server functionality, there is the FreeRadius (as I mentioned earlier) and also the vmpsd - you can find it on SourceForge. There also seem to be some other, mainly unsupported implementations. The FreeRadius contains the only maintained VMPS server implementation as far as I know.

That being said, I agree absolutely with Jon that the VMPS functionality has not been "pushed forward" for a long time, coinciding with the arrival of the 802.1X and RADIUS-based authentication including dynamic VLAN membership. As this solution is open and widely supported, Cisco seems to be focusing on this functionality.

To respond to the questions:

VMPS is indeed still available and supported? If so, on which platforms?

VPMS client functionality is supported on all recent or almost-recent access-layer switches running IOS, i.e. 2950, 2960, 3550, 3560, etc. This can be verified by having a look into the Configuration Guide about these switches, usually in the section "Configuring VLANs" or "Configuring VLANs and VTP".

And are you saying that a 3rd party version of VMPS is also available?
If so, how does it work? You would still need a Cisco switch to act as
the client, correct? Its not as though switches other than Cisco
support VMPS, right?

Yes, VMPS Server functionality is available on the software mentioned earlier. You still need a Cisco switch to act as the VMPS Client. To my best knowledge, no other vendors support the VMPS or the VQP protocol that is used to communicate between the client switch and the server.

I was under the impression that Cisco has pretty much abandoned VMPS as a solution and is now offering a suite of network access control solutions under the TrustSec umbrella that now leverage dot1x. What do you know about that?

I cannot comment on that with absolute certainty but it seems obvious that the 802.1X is the preferred method of doing this right now, as it essentially bundles many useful things together, not just dynamic VLANs but the entire issue of connecting an authorized client to a network securely and appropriately. The VMPS is not being preferred anymore but as a technology that basically works and works nicely, nobody is probably going to throw it out from the IOS just yet (though that will probably happen at some time in the future).

Best regards,

Peter

Hall of Fame Super Blue

Re: Cisco Solution similar to dot1x

Peter

Yes, i should have been more precise in what i said. It is the VMPS server that i believe is no longer supported by Cisco and was never implemented on IOS rather than the VMPS client functionality.

Jon

New Member

Re: Cisco Solution similar to dot1x

In their latest versions of IOS for catalyst switches, cisco introduced something they call MAB,

Mac Authentication Bypass. You need a radius server to make this work. I've been playng this feature last week.

You configure the ports to use 802.1X but tell it to use MAB first : as soon as a mac address becomes visible on a port, this mac-address is sent to the radius server which has entries in the form 'username=mac' passw='mac'. If the mac address is known, the radius server sends an accept the port is placed in the access vlan. If the mac is not found, the port is put in a guest vlan.

This works fine in an environment where one device is connected to one switch port. In our environment where we have a lot of non-manageable desktop switches this doesn't work very well, allthough cisco has mulit-host and multi-auth options also. This also can be used in an environment with ip phones and the local pc connected to the switch port on the phone.

Just look for MAB in the release notes and configuration manuals for more info.

Wim Holemans

New Member

Re: Cisco Solution similar to dot1x

Folks:

Thank you very much for your time and attention.

I needed detailed explanations because I have a client who is really turned off by the fact that dot1x requires an agent that must be configured on the client. They want a plug and play mac-based VLAN solution. I have read some of the white paper on MAB and it speaks to the question I have about whether port-based authentication/DVLAN is STILL available to non-compliant dot1x clients. And the answer is yes. Great feedback!

This is an excellent discussion...another followup question...

How does dot1x respond to non-compliant clients - for example, clients that do not have dot1x functionality at all, like printers or older OSs? I imagine that it is a function of the switch functionality and configuration and its ability to respond to failed dot1x logons. There are also 2 types of "failures": one because a client does not run dot1x or because the dot1x client is indeed unauthorized.

Any thoughts on this?

Thank you once again

Cisco Employee

Re: Cisco Solution similar to dot1x

Hello,

For clients that do not support the 802.1X at all (they do not have any 802.1X supplicant installed), a so-called Guest VLAN can be configured on an access port. The Guest VLAN can contain clients that do not support the 802.1X, optionally allowing them access to servers where they can download 3rd party 802.1X supplicant and afterwards be able to authenticate.

For clients that do support the 802.1X but who fail to authenticate (for example, their OS has a built-in supplicant but they do not have any valid RADIUS account right now), there is another VLAN called Restricted VLAN or Authorization Failed VLAN (both terms are synonymous).

You can read more about them and their configuration here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1176660

Best regards,

Peter

Hall of Fame Super Blue

Re: Cisco Solution similar to dot1x

ex-engineer wrote:

Folks:

Thank you very much for your time and attention.

I needed detailed explanations because I have a client who is really turned off by the fact that dot1x requires an agent that must be configured on the client. They want a plug and play mac-based VLAN solution. I have read some of the white paper on MAB and it speaks to the question I have about whether port-based authentication/DVLAN is STILL available to non-compliant dot1x clients. And the answer is yes. Great feedback!

This is an excellent discussion...another followup question...

How does dot1x respond to non-compliant clients - for example, clients that do not have dot1x functionality at all, like printers or older OSs? I imagine that it is a function of the switch functionality and configuration and its ability to respond to failed dot1x logons. There are also 2 types of "failures": one because a client does not run dot1x or because the dot1x client is indeed unauthorized.

Any thoughts on this?

Thank you once again

In addtion to what Peter has posted, for printers, old OSs etc., bear in mind dot1x authentication is a function of the port configuration ie. you don't have to configure that port for dot1x authentication. The primary purpose of dot1x is to stop unauthorised users connecting to your network whereas your printer and server setup should be tightly controlled and fairly static so dot1x on servers is not often seen or at least wasn't when i was involved with it.

In answer to the clients concern about a 802.1x supplicant, bear in mind Windows at least and i believe now a fair number of Unix OSs have them inbuilt so there is no need for additional software to be loaded. It does still need configuring obviously but, as alluded to before, you get a lot more functionality using an 802.1x supplicant ie. machine authentication, user authentication with or without certificates etc. It is trivial on most modern machines to alter a mac-address.

Jon

New Member

Re: Cisco Solution similar to dot1x

Good stuff, guys..

Thanks! rated...

New Member

Re: Cisco Solution similar to dot1x

Guys:

I need to be clear on a few things.Please excuse me; I am not being a maniac.

I know that with dot1x, which Cisco switches support, a client (supplicant) can be authenticated,  using their username and password, and then placed in a VLAN. The  authentication server (RADIUS server) is what is doing the  authentication and the placement of a client in a VLAN. OK, simple enough. Got it!

That having been said, what I need is for a client to be placed in a VLAN based on their MAC address,  similar to Cisco's old VMPS system. However, whenever I read about  dot1x authentication and dynamic VLAN assignment, it is always about  authenticating a client based on their username and password (they even  show you how to set the supplicant up in Windows), and then doing the VLAN assignment.

I NEVER see anything about VLAN  assignment based on MAC address when using dot1x. Does anyone have a document that talks about this?

Sorry to be a BIG pain in the @ss!

Thanks

Cisco Employee

Re: Cisco Solution similar to dot1x

Hello,

Hey, you're absolutely NOT any pain in wherever These forums are for discussion of exactly this kind so you are most welcome!

To your question: actually, it is already answered in this thread by Wim:

https://supportforums.cisco.com/message/3202912#3202912

There is a functionality called the MAC Authentication Bypass that allows you to authenticate the clients against the RADIUS with their MAC addresses, not with their usernames/passwords. Read about it here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1205506

This being said, in one of the earlier posts, Jon has very correctly pointed out that it is absolutely no problem in today's operating systems to change your MAC address at will, so basing the solution solely on MAC addresses is ... questionable at best from the security perspective. I understand that it is not your choice but your client should be aware of that (perhaps a small demonstration of an employee learning the MAC address of some highly authorized station and modifying his own MAC to impersonate that station and gaining access to the privileged VLAN could do the trick). Sometimes, explanations do not help but practical examples with a little showmanship added to it might just be enough.

Best regards,

Peter

Cisco Employee

Re: Cisco Solution similar to dot1x

Hi,

Yes, you can do VLAN assignemt using only the mac address of the machines as authentication data.

As mentioned before you can use MAB (Mac authentication bypass) os the dot1x port, and it will be transparent for the machine connected to the port.

You can connect printers, pcs, etc, that do not have any kind of dot1x supplicant.

The only thing needed is that the switch see traffic from the client so it can learn its mac address.

Then the switch itself will get the mac address and use it as username and password to authenticate the client machine.

On the RADIUS server you have to configure an user with the mac address as username and password. Then you can decide if you want to send VLAn attributes on the access accept so that the port goes to a specific VLAN.

Example: On ACS you create a group named printers. And you configure on this group the vlan attributes (attribute 64,65,81) to return VLAN 100.

You create the pinters accounts using their mac address and assign them to the printers group.

Then every printer that you connect to a dot1x port with MAB enabled, will be authenticated and the port put into VLAN 100.

Hope this helps you.

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

New Member

Re: Cisco Solution similar to dot1x

Folks, thanks again.

I see that Cisco has a solution and its MAB. OK...

What about if I dont want to use a Cisco appliance or solution? Will MAB even work with non-Cisco switches?

Does RADIUS, as an open standard operating within the dot1x architecture, allow for dyanmic VLAN assignment based on MAC addresses?

I think the answer is yes and the way to do it is to use the machine's MAC address as the username and password. I know that MAB uses this approach, but I think it can be the same thing with a general RADIUS deployment. This way you can repurose the username/password authentication behavior of RADIUS to create a dynamic VLAN assignment based on MAC address solution.

Thoughts?

Cisco Employee

Re: Cisco Solution similar to dot1x

Hello,

In a very general approach, a RADIUS server assigning VLANs dynamically based on stations' MAC addresses is possible if the RADIUS server actually gets to know the client's MAC address. That can happen via two ways: either the MAC is used as the username, or it is included as an additional attribute of a certain type in the Access-Request message sent from a switch towards the RADIUS server. A RADIUS server can provide its answer based on any attribute in the Access-Request message, be it a username or a different field that is "parseable" and comparable to a predefined template value (actually, this depends on particular RADIUS implementation what matching capabilities it provides you with - the FreeRADIUS is very flexible in this aspect).

The ramifications of this should be clear. In usual 802.1X environments, the Access-Request is sent from a switch as a result of EAPOL frame exchange detected on a switchport. If no EAPOL exchange takes place, no communication with the RADIUS server will be performed, so no authentication/DVLAN assignment can be done. The MAB circumvents this by simply waiting for any frame arriving from a connected station, learning the source MAC and constructing an Access-Request message without performing any EAPOL handshake with the PC, using the learned MAC as the username. Thus, it is not an added intelligence of a RADIUS server nor a client's issue; it is solely an intelligence added on the switch (the authenticator). Without a switch able to do this "trick", the RADIUS environment falls back to the EAPOL exchange between the switch and the station to exchange the credentials information.

A different vendor implementation must in essence do a very similar procedure - wait for a frame to arrive, learn the source MAC, and upon learning it, construct an Access-Request message and somehow use the MAC address in this message - either as a username or some other (possible vendor-specific) attribute. The RADIUS server itself is actually not responsible for this - it merely receives the Access-Request message, processes it and responds accordingly. It must be the added intelligence in the switch (the authenticator) that actually acts on behalf of client's MAC address without performing any EAPOL message exchange.

I know I have not given you any definitive answer but I am afraid that there is none. Really, this entire issue depends on whether a particular switch is so intelligent that it can use the client's MAC address without needing the EAP/credentials exchange to talk to the RADIUS server in order to authenticate the station.

Best regards,

Peter

New Member

Re: Cisco Solution similar to dot1x

Peter, thank you very much for that outstanding and thoughtful answer.

My understanding is that dot1x dynamic vlan assignment based on MAC addresses is sort of a bastardized version of dot1x authentication. Leveraging RADIUS, the dot1x architecture solution typically authenticates a user based on their username and password and from there can assign a VLAN.

I also agree that MAC-based VLANs can be difficult to implement in a dot1x world. And MAB and VMPS are really proprietary solutions.

I am trying to convinve the clien tto drop the mac-based dynamic vlan requirement and just assign a VLAN based on typical username and password authentication.

Thanks

Cisco Employee

Re: Cisco Solution similar to dot1x

Hello,

I am very glad to have helped, and thank you very much for your generous rating!

My understanding is that dot1x dynamic vlan assignment based on MAC
addresses is sort of a bastardized version of dot1x authentication.

Absolutely. I couldn't say it better

I am trying to convinve the clien tto drop the mac-based dynamic vlan
requirement and just assign a VLAN based on typical username and
password authentication.

Very good. Without a special (probably proprietary) functionality on a switch like MAB and/or some special software on a station, assigning dynamic VLANs based just on MAC address in a RADIUS environment is next to impossible.

I even remember a statement from my BCMSN training saying that dynamic VLANs are not consistent with the Cisco's Enterprise Composite Network Model and won't be discussed further. I would generally agree with this. The dynamic nature of these VLANs that essentially "run after their own users" throughout a switched domain brings a level of flexibility but also breaks a lot of recommendations about local VLANs and their best management practices we're used to see in usual two- or three-layer designs.

Best regards,

Peter

1343
Views
50
Helpful
21
Replies
CreatePlease login to create content