PDF(74.9 KB) View with Adobe Reader on a variety of devices
ePub(83.9 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(69.8 KB) View on Kindle device or Kindle app on multiple devices
Updated:September 19, 2019
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to implement UCS C-Series with MAB/802.1x authentication on Cisco switches.
One of the access control techniques that Cisco provides is MAC Authentication Bypass (MAB). MAB uses the MAC address of a device in order to determine what kind of network access to provide.
In a network that includes both devices that support and devices that do not support IEEE 802.1X, MAB can be deployed as a fallback, or complementary, mechanism to IEEE 802.1X. If the network does not have any IEEE 802.1X-capable devices, MAB can be deployed as a standalone authentication mechanism.
May 11 16:33:14.311 JST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down May 11 16:33:15.312 JST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down May 11 16:33:17.891 JST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up May 11 16:33:18.891 JST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to up
Sending 5, 100-byte ICMP Echos to 10.141.49.205, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) 3750#do sh access-sess int g1/0/1 details No sessions match supplied criteria.
Debug (debug MAB all command) shows the MAC entry of UCS not learned on the switch, which is required to authenticate with the backend.
3750 (config)# interface GigabitEthernet1/0/37 3750(config-if)#access-session control-direction in
Enter the access-session control-direction in command (previously the authentication control-direction in command) in order to enable the switch to send traffic in egress to the host, but not the other way around. The command is usually used on clients such as printers/devices which do not continually send traffic as a way to initiate communication (also used for Wake on Lan). Essentially a packet is sent from the switch and the client responds. The response will contain the MAC address which is then used for MAB. In the already established setup, the MAC address from the client was not being received.