MAC Authentication Bypass
You can configure the controller to authorize clients based on the client MAC address by using the MAC authentication bypass (MAB) feature.
When MAB is enabled, the controller uses the MAC address as the client identity. The authentication server has a database of client MAC addresses that are allowed network access. After detecting a client, the controller waits for a packet from the client. The controller sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address. If authorization succeeds, the controller grants the client access to the network. If authorization fails, the controller assigns the port to the guest WLAN, if one is configured.
Clients that were authorized with MAC authentication bypass can be re-authenticated. The re-authentication process is the same as that for clients that were authenticated. During re-authentication, the port remains in the previously assigned WLAN. If re-authentication is successful, the controller keeps the port in the same WLAN. If re-authentication fails, the controller assigns the port to the guest WLAN, if one is configured.
MAB Configuration Guidelines
MAB configuration guidelines are the same as the 802.1x authentication guidelines.
When MAB is disabled from a port after the port has been authorized with its MAC address, the port state is not affected.
If the port is in the unauthorized state and the client MAC address is not the authentication-server database, the port remains in the unauthorized state. However, if the client MAC address is added to the database, the switch can use MAC authentication bypass to re-authorize the port.
If the port is in the authorized state, the port remains in this state until re-authorization occurs.
You can configure a timeout period for hosts that are connected by MAB but are inactive. The valid range is from 1 to 65535, in seconds.
If wlan-profile-name is configured for a user, guest user authentication is allowed only from that WLAN.
If wlan-profile-name is not configured for a user, guest user authentication is allowed on any WLAN.
The AP fails to join the controller due of an authentication rejection on the RADIUS server. The failure occurs on the Cisco Catalyst 9800 controller, only when the RADIUS server is configured to authenticate the APs with method MAB as endpoints. The reason is that the RADIUS calling-station-id attribute is required for MAB authentication and is not present within the access request packet during the AP join. The workaround is to use a different AP authentication method than MAB as endpoints such as PAP-ASCII using a username and a password.
If you want the client to connect to SSID1, but not to SSID2 using mac-filtering, ensure that you configure aaa-override in the policy profile.
In the following example, when a client with MAC address 1122.3344.0001 tries to connect to a WLAN, the request is sent to the local RADIUS server, which checks the presence of the client MAC address in its attribute list (FILTER_1 and FILTER_2). If the client MAC address is listed in an attribute list (FILTER_1), the client is allowed to join the WLAN (WLAN_1) that is returned as ssid attribute from the RADIUS server. The client is rejected, if the client MAC address is not listed in the attribute list.
Local RADIUS Server Configuration
!Configures an attribute list as FILTER_2 aaa attribute list FILTER_2 !Defines an attribute type that is to be added to an attribute list. attribute type ssid "WLAN_2" !Username with the MAC address is added to the filter username 1122.3344.0002 mac aaa attribute list FILTER_2 ! aaa attribute list FILTER_1 attribute type ssid "WLAN_1" username 1122.3344.0001 mac aaa attribute list FILTER_1
! Sets authorization to the local radius server aaa authorization network MLIST_MACFILTER local !WLAN with the SSID WLAN_1 is created and MAC filtering is set along with security parameters. wlan WLAN_1 1 WLAN_1 mac-filtering MLIST_MACFILTER no security wpa no security wpa wpa2 ciphers aes no security wpa akm dot1x security web-auth security web-auth authentication-list WEBAUTH !A WLAN with the SSID WLAN_2 is created and MAC filtering is set along with security parameters. wlan WLAN_2 2 WLAN_2 mac-filtering MLIST_MACFILTER no security wpa no security wpa wpa2 ciphers aes no security wpa akm dot1x ! Policy profile to be associated with the above WLANs wireless profile policy MAC_FILTER_POLICY aaa-override vlan 504 no shutdown