-
Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4T
-
Securing User Services Overview
-
Autosecure
- Authentication, Authorization, and Accounting (AAA)
-
Security Server Protocols
-
RADIUS
-
Configuring RADIUS
-
AAA Dead-Server Detection
-
AAA-SERVER-MIB Set Operation
-
ACL Default Direction
-
Attribute Screening for Access Requests
-
Enable Multilink PPP via RADIUS for Preauthentication User
-
Enhanced Test Command
-
Framed-Route in RADIUS Accounting
-
Offload Server Accounting Enhancement
-
Per VRF AAA
-
RFC-2867 RADIUS Tunnel Accounting
-
RADIUS Attribute Screening
-
RADIUS Centralized Filter Management
-
RADIUS Debug Enhancements
-
RADIUS Logical Line ID
-
RADIUS NAS-IP-Address Attribute Configurability
-
RADIUS Route Download
-
RADIUS Server Load Balancing
-
RADIUS Support of 56-Bit Acct Session-Id
-
RADIUS Tunnel Preference for Load Balancing and Fail-Over
-
RADIUS Server Reorder on Failure
-
Tunnel Authentication via RADIUS on Tunnel Terminator
-
RADIUS Interim Update at Call Connect
-
Define Interface Policy-Map AV Pairs AAA
-
- TACACS+
-
RADIUS
-
RADIUS and TACACS+ Attributes
-
RADIUS Attributes
-
RADIUS Attributes Overview and RADIUS IETF Attributes
-
RADIUS Vendor-Proprietary Attributes
-
Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
-
Connect-Info RADIUS Attribute 77
-
Encrypted Vendor Specific Attributes
-
Local AAA Server
-
Per-User QoS via AAA Policy Name
-
RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
-
RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
-
RADIUS Attribute 82: Tunnel Assignment ID
-
RADIUS Attribute 104
-
RADIUS Progress Codes
-
RADIUS Timeout Set During Pre-Authentication
-
RADIUS Tunnel Attribute Extensions
-
V.92 Reporting Using RADIUS Attribute v.92-info
-
RADIUS Attribute 66 (Tunnel-Client-Endpoint) Enhancements
-
- TACACS+ Attributes
-
RADIUS Attributes
- Secure Shell (SSH)
-
Cisco IOS Login Enhancements (Login Block)
-
Cisco IOS Resilient Configuration
-
Image Verification
-
IP Source Tracker
-
Role-Based CLI Access
- User Security Configuration
-
Configuring Kerberos
-
Lawful Intercept Architecture
-
Table Of Contents
Prerequisites for Standalone MAB Support
Information About Standalone MAB Support
Overview of the Cisco IOS Auth Manager
How to Configure Standalone MAB
Enabling Reauthentication on a Port
Specifying the Security Violation Mode
Configuration Examples for Standalone MAB
Standalone MAB Configuration: Example
Feature Information for Standalone MAB Support
Standalone MAB Support
First Published: November 11, 2008Last Updated: October 12, 2009Standalone MAC Authentication Bypass (MAB) is an authentication method that grants network access to specific MAC addresses—regardless of 802.1x capability or credentials. As a result, devices such as cash registers, fax machines, and printers can be readily authenticated, and network features that are based on authorization policies can be made available.
Before standalone MAB support was available, MAB could be configured only as a failover method for 802.1x authentication. Standalone MAB is independent of 802.1x authentication.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Standalone MAB Support" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•
Prerequisites for Standalone MAB Support
•
•
•
•
Prerequisites for Standalone MAB Support
IEEE 802.1x—Port-Based Network Access Control
You should understand the concepts of port-based network access control and have an understanding of how to configure port-based network access control on your Cisco platform. See the Cisco IOS Security Configuration Guide: Securing User Services, Release 15.0 for more information.
RADIUS and ACLs
You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs). For more information, see the documentation for your Cisco platform and the Cisco IOS Security Configuration Guide: Securing User Services, Release 15.0.
The switch must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS). For more information, see the User Guide for Secure ACS Appliance 3.2.
Information About Standalone MAB Support
To set up standalone MAB, you should understand the following concepts:
•
Overview of the Cisco IOS Auth Manager
The capabilities of devices connecting to a given network can be different, thus requiring that the network support different authentication methods and authorization policies. The Cisco IOS Auth Manager handles network authentication requests and enforces authorization policies, regardless of authentication method. The Auth Manager maintains operational data for all port-based network connection attempts, authentications, authorizations, and disconnections and as such, serves as a session manager.
The possible states for Auth Manager sessions are:
•
•
•
•
•
•
•
Standalone MAB
MAB uses the MAC address of the connecting device to grant or deny network access. To support MAB, the RADIUS authentication server maintains a database of MAC addresses for devices that require access to the network. MAB generates a RADIUS request with a MAC address in the Calling-Station-Id (attribute 31) and Service-Type (attribute 6) with value 10. After a successful authentication, the Auth Manager enables various authorization features specified by the authorization policy, such as ACL assignment and VLAN assignment.
How to Configure Standalone MAB
This section contains the following tasks:
•
•
Enabling Standalone MAB
Ports enabled with the Standalone MAB feature can use the MAC address of connecting devices to grant or deny network access. Perform the steps described in this section to enable standalone MAB on individual ports.
Prerequisites
Before you can configure standalone MAB, the switch must be connected to a Cisco Secure ACS server and RADIUS authentication, authorization, and accounting (AAA) must be configured.
Restrictions
Standalone MAB can be configured on switched ports only—it cannot be configured on routed ports.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Troubleshooting Tips
The following commands can help troubleshoot standalone MAB:
•
•
•
•
•
Enabling Reauthentication on a Port
By default, ports are not automatically reauthenticated. You can enable automatic reauthentication and specify how often reauthentication attempts are made.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Specifying the Security Violation Mode
When there is a security violation on a port, the port can be shut down or traffic can be restricted. By default, the port is shut down. You can configure the period of time for which the port is shut down.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Configuration Examples for Standalone MAB
This section contains the following example:
•
Standalone MAB Configuration: Example
The following example shows how to configure standalone MAB on a port. In this example, the client is reauthenticated every 1200 seconds and the connection is dropped after 600 seconds of inactivity.
enableconfigure terminalinterface GigabitEthernet2/1switchportswitchport mode accessswitchport access vlan 2authentication port-control automabauthentication violation shutdownauthentication timer restart 30authentication periodicauthentication timer reauthenticate 1200authentication timer inactivity 600Additional References
The following sections provide references related to the standalone MAB feature.
Related Documents
Authentication commands
Cisco IOS Security Command Reference
IEEE 802.1x - Flexible Authentication
Cisco IOS Security Configuration Guide: Securing User Services, Release 15.0.
Standards
MIBs
RFCs
Technical Assistance
Feature Information for Standalone MAB Support
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Note
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.
