MAB: Mac Authentication Bypass on 802.1x

Though dot1x is an authentication protocol that automatically configures the right vlan on the port, however, there can be many scenarios where a simple userid/password based authentication would just not work due to the limitations present on the end device. For example, where you have end devices that don’t support 802.1x at all or where you have an IP phone between the switch port and the end device etc. In these instances, your last resort is to utilise the mac address of the end device to perform mac authentication bypass or MAB authentication over the NPS.

The goal is to achieve a form of configuration that is standard for all ports but authorises and assigns the right vlan based on the end device should the end device be unable to take part in the 8021.x authentication process (EAP).

Mac Authentication Bypass:

One way to achieve this is via Mac Authentication Bypass or MAB. With MAB, the mac address is sent to the NPS to authenticate instead of the user id and password and a vlan is assigned based on that. We can simply configure the authentication order to perform MAB authentication first before authenticating based on userid/password using EAP protocol.

This way, if you have a device such as a printer which can’t perform 802.1x authentication, the switch simply listens for it’s mac address and then passes it through to the NPS which authorises the mac address and returns a vlan that you intend the printer to be a part of.

The best thing about this 802.1x deployment based on MAB is that a normal end device that intends to authenticate based on 802.1x EAP protocol would simply send EAP packets and the switch after failing mac based authentication (as no policy would exist for this end device on the NPS) would simply move on to authenticate the end device based on 802.1x using the end user’s user id and password which would then be verified against existing user database in the active directory.

IP Phones:

Deployment of IP phones can be slightly tricky. In the case of IP phones, we have to ensure we allow multi-auth using the authentication host-mode multi-auth command on the switch port (if using a cisco switch) in addition to MAB and authentication order, so that the port understands that there is more than one device to be authenticated on this port.

Since all phones should have a mac registry present in the NPS which is checked first, upon plugging in, the phone would get verified based on the voice vlan and the end device would get verified based on EAP supplied user id/password credentials if the end device supports 802.1x. If it doesn’t, than it too would be subject to mac based authentication first and if it’s mac address is found registered on the NPS, than it would be assigned a vlan based on that policy and EAP based authentication would not take place.

However, if you use authentication host-mode multi-host configuration, than the switch port would simply get configured with the vlan assigned to the first authorised device whether based on MAB or EAP based authentication. This vlan would then be assigned to every device that connects to that port using an ip phone or a layer 2 switch.

Standard 802.1x port config:

To simply all dot1x configuration in your deployment, you can configure the following config on all switch ports. This configuration, in my opinion, should take care of all three possible scenarios discussed above:

 

Troubleshooting:

When troubleshooting MAB, ensure to look for access-accept or accept-reject along with authorisation logs as that would indicate what the NPS is answering back to the request made to authenticate. Whereas, for EAP based end user devices, you will be able to locate AUTH_Success easily.

In the below logs, a44c.c8cb.3d60 is authenticated using EAP whereas 6416.7f17.c707 is authenticated using MAB.
To enable dot1x debugging, parse the command debug dot1x all in privilege mode.

 

Assigned vlan output:

 

Got questions? Leave a comment! Let’s chat.

Rafay Rasool is a Network Specialist with over 8 years of experience designing, configuring and implementing core network solutions based predominantly but not limited to Juniper Routers, Switches and Firewalls along with other vendors such as Cisco, Huawei, Siemens, Aerohive, Ringmaster, Pulse etc for Internet Service Provider and Enterprise Networks.

Rafay is an avid supporter of network automation and likes to code and automate networking solutions.