MAC Authentication Bypass (MAB) is a method of network access authorization used for endpoints that cannot or are not configured to use 802.1x authentication. MAB uses the hardware address (MAC address) of the device connecting to the network to authenticate onto the network.
This hardware-based authentication happens when a device connects to a Network Access Device (NAD) either wired or wirelessly – i.e., a switch, wireless access point, or VPN concentrator. In this article I will be assuming that the NAD being used is a switch.
Packets that are sent before MAB occurs and packets that are used to learn the MAC address are dropped by the switch. Almost any packet can be used for MAB, but there are specific types of packets that cannot be used. These include LLDP, spanning tree, and DTP packets.
Once the switch learns the MAC address of the device attempting to connect to the network, the switch builds a RADIUS Access-Request packet using the MAC address of the device as the User Name and Calling-Station-ID.
ISE then uses the MAC address from this RADIUS Access-Request packet to query its endpoint identity database for a match. If a match is found, ISE returns an Access-Accept authorization to the switch and the device is allowed onto the network with a specific VLAN ID tag as configured by the ISE endpoint identity profile.
If there is no matching endpoint identity in ISE, then the device is authentication session is put into an Unauth state and packets from that device are dropped by the NAD.
In order for MAB to function, the switch must be configured to use the ISE server(s) for RADIUS authentications. This configuration is outside of the scope of this article, and it is assumed that this configuration has already taken place.
If issues are discovered with all MAB authentication on a specific switch, it may be best to troubleshoot the RADIUS configuration before troubleshooting MAB.
MAB Host Mode Options
There are four host mode options which can be used by MAB:
Single-Host Mode: MAB configured in single-host mode will allow only a single device to be allowed onto the network at a time. If multiple devices are detected on the switchport, the switch will put the switchport into an err-disabled state.
Multidomain Authentication Host Mode: This host mode was created specifically for IP telephony. Multidomain authentication allows one device to connect to each of the two switchport domains – one device can connect to the DATA domain, and one device can connect to the VOICE domain.
Multi-Authentication Host Mode: Multiple hosts are individually authenticated onto the network. This host mode is used when there are multiple devices connecting to a single shared switchport through a hub or bridge such as an unmanaged switch. Authorized devices are allowed onto the network as normal; packets from unauthorized devices are dropped and the switchport remains in the connected state. This allows each device to be granted a specific VLAN ID according to its endpoint identity profile configured in ISE.
Multihost Mode: The first device to the network will be submitted to ISE for authentication. If that device is authenticated, then the switchport will allow multiple other devices to access the network without requiring separate authentication of each device. All connected devices will share the VLAN ID of the authenticated device.
Typical Interface Configuration
The standard interface configuration for deployments is as follows:
authorization order dot1x mab
authorization host-mode multi-auth
authorization port-control auto
Broken down, each of these commands accomplish the following:
mab: This command enables MAB on the interface.
authorization order mab: Establishes the order of authentication types to use. Because MAB is typically used as a failover from 802.1x authentication, it is listed second.
authorization host-mode multi-auth: Specifies that MAB should use the multi-authentication host mode which allows multiple devices to authenticate onto the network each with its own VLAN ID.
authentication port-control auto: Turns on authentication for the switchport.
Verify MAB status of an interface from the command line:
show interface status | include [xyz]: Confirm that the interface shows as connected.
show interface status err-disabled: If the interface shows err-disabled, this command will display the reason the interface is disabled. This could be caused by issues such as single-host mode MAB with multiple devices connected or bpduguard.
show run interface [xyz]: View the interface configuration to ensure that the MAB commands are in place and complete.
show mac address-table interface [xyz]: Verify that the switchport has learned a MAC address for the device. Note: if the connected device has an Unauth session, you may not see a MAC address with this command.
show authentication sessions interface [xyz]: View the current authorization table for an interface. This will display all MAC address learned by the interface as well as an Auth/Unauth status for each.
show device tracking database interface [xyz]: This command (specific to newer IOS versions) will display the MAC address and IP address of a connected device if device tracking is configured on the interface. Some connection issues can be caused by a mismatch between a device with a static IP configured for a specific VLAN that does not match with the ISE endpoint identity profile. This can also verify for VLANs with DHCP if the device has been unable to negotiate an IP address with its DHCP server by showing an APIPA address (i.e., 169.254.x.x).
show ip device-tracking interface [xyz]: Same command as above, but used for older IOS versions typically found on chassis-based switches.