The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Standalone MAC Authentication Bypass (MAB) is an authentication method that grants network access to specific MAC addresses regardless of 802.1X capability or credentials. As a result, devices such as cash registers, fax machines, and printers can be readily authenticated, and network features that are based on authorization policies can be made available.
Before standalone MAB support was available, MAB could be configured only as a failover method for 802.1x authentication. Standalone MAB is independent of 802.1x authentication.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
MAC Authentication Bypass (MAB) uses the MAC address of the connecting device to grant or deny network access. To support MAB, the RADIUS authentication server maintains a database of MAC addresses for devices that require access to the network. MAB generates a RADIUS request with a MAC address in the Calling-Station-Id (attribute 31) and with a Service-Type (attribute 6) 10. After a successful authentication, the Auth Manager enables various authorization features specified by the authorization policy, such as ACL assignment and VLAN assignment.
Ports enabled with the Standalone MAB feature can use the MAC address of connecting devices to grant or deny network access. Perform the steps described in this section to enable standalone MAB on individual ports.
Before you can configure standalone MAB, the device must be connected to a Cisco Secure ACS server and RADIUS authentication, authorization, and accounting (AAA) must be configured.
Note |
Standalone MAB can be configured on devices with switched ports only; it cannot be configured on devices with routed ports. |
Note |
If you are unsure whether MAB or MAB Extensible Authentication Protocol (EAP) is enabled or disabled on the switched port, use the default mabor default mab eap commands in interface configuration mode to configure MAB or MAB EAP. |
1. enable
2. configure terminal
3. interface type slot / port
4. switchport
5. switchport mode access
6. authentication port-control auto
7. mab
8. end
The following commands can help troubleshoot standalone MAB:
The following example shows how to configure standalone MAB on a port. In this example, the client is reauthenticated every 1200 seconds and the connection is dropped after 600 seconds of inactivity.
Device> enable Device# configure terminal Device(config)# interface GigabitEthernet2/1 Device(config-if)# switchport Device(config-if)# switchport mode access Device(config-if)# switchport access vlan 2 Device(config-if)# authentication port-control auto Device(config-if)# mab Device(config-if)# authentication violation shutdown Device(config-if)# authentication timer restart 30 Device(config-if)# authentication periodic Device(config-if)# authentication timer reauthenticate 1200 Device(config-if)# authentication timer inactivity 600
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Authentication commands |
Cisco IOS Security Command Reference |
IEEE 802.1x—Flexible Authentication |
Securing User Services Configuration Library |
MIB |
MIBs Link |
---|---|
|
To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFC |
Title |
---|---|
RFC 3580 |
IEEE 802.1x Remote Authentication Dial In User Service (RADIUS) |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Standalone MAB Support |
Cisco IOS XE Release 3.2SE |
This feature grants network access to devices based on MAC address regardless of 802.1x capability or credentials. The following commands were introduced or modified: authentication periodic, authentication port-control, authentication timer inactivity, authentication timer reauthenticate, authentication timer restart, authentication violation, debug authentication, mab, show authentication interface, show authentication registrations, show authentication sessions, and show mab. |