NAC (for Cisco – Network Admission Control) or NAP (for Microsoft – Network Access Protection) in conjunction with 802.1x will be standard for authenticating network components and allowing them access to the network. At least in the future.
In the near future I am going to implement dynamic switch port security on a network. I would like to use 802.1x, but not all components are supporting 802.1x at the moment. While searching for documentation about the configuration of 802.1x, I found a backup authentication method for 802.1x with the name MAC Authentication Bypass (MAB). If a network component doesn’t support 802.1x, it uses its MAC address for authentication.
Much like the Guest-VLAN, MAB operates based on an 802.1x timeout condition. After a switch port can ascertain that an 802.1x supplicant is not present on the port, it falls back to checking the MAC address (which is an authentication technique of lesser security). After timing out 802.1x on the port, a MAC address can be learned by the switch through classic MAC learning techniques. after a MAC address is learned by the switch, it can then be authenticated by RADIUS initiation. The MAC address is used as username AND password in the RADIUS request. This means you should create an account with the MAC address as username and password.
I found some documentation about on the Cisco website, but I don’t have a suitable router at home for testing MAB. Looking at the PDF you should use the following commands in global config and on a switch port:
aaa authentication dot1x default group radius
aaa authorization network default group radius
switchport access vlan 2
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x control-direction in
dot1x timeout tx-period 1
dot1x max-reauth-req 1
spanning-tree bpduguard enable
When I have the appropriate equipment, I will do some testing on MAB. But I am curious if somebody already tested MAB or maybe already implemented MAB? What are the caveats during testing and/or implementing? How does MAB work in conjunction with features like Wake-On-LAN, DHCP and Voice VLAN’s?