What are the steps for configuring Mac Authentication Bypass (MAB) with a Cisco switch and Symantec LAN Enforcer?
MAC Authentication Bypass (MAB) requires a compatible switch. Examples of compatible Cisco switches are the 2960 and 3750. The exact steps and commands may vary between switch models and IOS versions.
This article will provide the steps for using a local MAB database on the Enforcer; to use LDAP see the additional steps in article TECH91734.
The steps below assumes an already working LAN Enforcer and Cisco switch setup. For basic configuration steps see article HOWTO74619.
To enable MAB for a port on the switch:
To change the authentication priority so that the switch attempts MAB before waiting for the dot1x authentication timeout to occur (optional):
To enable MAB and add the a MAC address of a client to use MAB authentication for:
In this configuration the client will report EAP:PASS and UNAVAILABLE for the Host Integrity and Profile status - if the port will be opened, closed, or assigned to a particular VLAN will depend on the switch actions configured for the LAN Enforcer group on the Symantec Endpoint Protection Manager (SEPM).
A different configuration is available using mab-override, where the switch action table is ignored, and the port is opened from the MAB authentication alone. This requires the following additional steps on the Enforcer:
The MAB database on the Enforcer can also be loaded from a TFTP server using the "mab" and "download tftp" commands. Starting from version 12.1 the MAB database can also be populated directly from the SEPM Enforcer group configuration.
See article TECH103211 for how to debug the Symantec LAN Enforcer. The information relevant to MAB will be in the kernel log (use the "debug show kernel live" command from the CLI).
Example kernel.log output when MAB is activated without mab-override:
Jul/22/2013 11:37:52 [ radproxy.c]: MAC 00-11-43-0A-63-AA found in local MAC database!
Example kernel.log output when MAB is activated in mab-override mode:
Jul/22/2013 11:15:25 [ radproxy.c]: MAC 00-11-43-0A-63-AA found in local MAC database!
Jul/22/2013 11:15:25 [ radproxy.c][ 8527]: Client[000015f2] 0011430a63aa, Status Received(MAB:PASSED), Enforcer matches(MAB action table: accept), OPEN_PORT on switch 192.168.9.250.
Example kernel.log output when the client MAC address is not present in the Enforcer MAB database:
Jul/22/2013 11:22:46 [ radproxy.c][ 791]: Radius is invalid for client 0011430a63aa! EAP is set to FAILED
Jul/22/2013 11:22:46 [ radproxy.c][ 8489]: Client[000015f4] 0011430a63aa, Status Received(HI:UNAVAILABLE, EAP:FAILED, PRO:UNAVAILABLE), UID is UNKNOWN, Enforcer matches(HI:ANY, EAP:ANY, PRO:ANY), CLOSE_PORT on switch 192.168.9.250.