Configuring Mac Authentication Bypass (MAB) with a Cisco switch and Symantec LAN Enforcer

book

Article ID: 158231

calendar_today

Updated On:

Products

Network Access Control Enforcer 6100 Series Appliance Network Access Control

Issue/Introduction

What are the steps for configuring Mac Authentication Bypass (MAB) with a Cisco switch and Symantec LAN Enforcer?

 

Resolution

MAC Authentication Bypass (MAB) requires a compatible switch. Examples of compatible Cisco switches are the 2960 and 3750. The exact steps and commands may vary between switch models and IOS versions.

This article will provide the steps for using a local MAB database on the Enforcer; to use LDAP see the additional steps in article TECH91734.

The steps below assumes an already working LAN Enforcer and Cisco switch setup. For basic configuration steps see article HOWTO74619.

 

Configuration steps on the Cisco switch

To enable MAB for a port on the switch:

  • >enable
  • #configure terminal
  • #interface fa0/1
  • # mab
  • # exit
  • #exit

To change the authentication priority so that the switch attempts MAB before waiting for the dot1x authentication timeout to occur (optional):

  • >enable
  • #configure terminal
  • #interface fa0/1
  • # authentication order mab dot1x webauth
  • authentication priority mab dot1x webauth
  • # exit
  • #exit

Configuration steps on the Symantec LAN Enforcer

To enable MAB and add the a MAC address of a client to use MAB authentication for:

  • (log in as "root")
  • mab
  • show (to display the current settings)
  • database
  • add 00:11:43:0A:63:AA
  • exit

In this configuration the client will report EAP:PASS and UNAVAILABLE for the Host Integrity and Profile status - if the port will be opened, closed, or assigned to a particular VLAN will depend on the switch actions configured for the LAN Enforcer group on the Symantec Endpoint Protection Manager (SEPM).

A different configuration is available using mab-override, where the switch action table is ignored, and the port is opened from the MAB authentication alone. This requires the following additional steps on the Enforcer:

  • (log in as "root")
  • mab
  • show (to display the current settings)
  • mab-override enable
  • mab-accept action open-port (different actions are available including assignment to a particular vlan)
  • mab-reject action close-port
  • exit

The MAB database on the Enforcer can also be loaded from a TFTP server using the "mab" and "download tftp" commands. Starting from version 12.1 the MAB database can also be populated directly from the SEPM Enforcer group configuration.

 

Troubleshooting

See article TECH103211 for how to debug the Symantec LAN Enforcer. The information relevant to MAB will be in the kernel log (use the "debug show kernel live" command from the CLI).

Example kernel.log output when MAB is activated without mab-override:

Jul/22/2013 11:37:52  [  radproxy.c][10178]: MAB Request for 00-11-43-0a-63-aa from 192.168.9.250
Jul/22/2013 11:37:52  [  radproxy.c][10191]: MAC 00-11-43-0A-63-AA found in local MAC database!

Jul/22/2013 11:37:52  [  radproxy.c][ 8308]: Action table rule order 1 matched! vlan_index=0, vlan_id=0
Jul/22/2013 11:37:52  [  radproxy.c][ 8489]: Client[000015f9] 0011430a63aa, Status Received(HI:UNAVAILABLE, EAP:PASSED, PRO:UNAVAILABLE), UID is UNKNOWN, Enforcer matches(HI:ANY, EAP:PASSED, PRO:ANY), OPEN_PORT on switch 192.168.9.250.
 

Example kernel.log output when MAB is activated in mab-override mode:

Jul/22/2013 11:15:25  [  radproxy.c][10178]: MAB Request for 00-11-43-0a-63-aa from 192.168.9.250
Jul/22/2013 11:15:25  [  radproxy.c][10191]: MAC 00-11-43-0A-63-AA found in local MAC database!

Jul/22/2013 11:15:25  [  radproxy.c][ 8339]: Query MAB action table.
Jul/22/2013 11:15:25  [  radproxy.c][ 8527]: Client[000015f2] 0011430a63aa, Status Received(MAB:PASSED), Enforcer matches(MAB action table: accept), OPEN_PORT on switch 192.168.9.250.

 

Example kernel.log output when the client MAC address is not present in the Enforcer MAB database:

Jul/22/2013 11:22:46  [  radproxy.c][10178]: MAB Request for 00-11-43-0a-63-aa from 192.168.9.250
Jul/22/2013 11:22:46  [  radproxy.c][  791]: Radius is invalid for client 0011430a63aa! EAP is set to FAILED

Jul/22/2013 11:22:46  [  radproxy.c][ 8308]: Action table rule order 3 matched! vlan_index=0, vlan_id=0
Jul/22/2013 11:22:46  [  radproxy.c][ 8489]: Client[000015f4] 0011430a63aa, Status Received(HI:UNAVAILABLE, EAP:FAILED, PRO:UNAVAILABLE), UID is UNKNOWN, Enforcer matches(HI:ANY, EAP:ANY, PRO:ANY), CLOSE_PORT on switch 192.168.9.250.