Cisco MAB (MAC Authentication Bypass)

_____________________________________________________________________________
Scenario:

The network has approximately 500 nodes in a large single building, spread about several floors. This campus network consists of a pair of Cisco Catalyst 6509 switches for the Layer3 core with about 30 vlans. Approximately 35 campus Layer2 switches, which are mostly Cisco Catalyst 4006. All vlans trunked from the core.

No private WiFi, roaming notebooks, or other devices need wired access to private vlans.

Certain (not all) 4006 switch ports are connected to conference rooms or other strategic areas throughout the building. These ports use the automated vlan assignment functionality of Cisco Secure URT (User Registration Tool). This allows users to connect to their own LAN from strategic locations in the campus network, where these URT ports are activated.

The functionality the customer requires is…

  1. In a hurry (see below paragraph)
  2. Transparent (no user interaction), wired, automated vlan assignment from  strategic locations throughout the campus network. 
  3. The client is not concerned with implementing 802.1x type security, and cannot confirm conformity of the all roaming end nodes with the protocol. 
  4. 802.1x, if necessary can always be added later. When time, resources, and node conformity are available.

A project was taking place by another group to upgrade the 4006 switches to either Cisco Catalyst 4506 or 4510 models.  This project came to a screeching halt due to the fact that the EOL (end of life) Cisco Secure URT is no longer compatible with the newer Catalyst 4506 – 4510 switches.

Never fear Cloudius Maximus is here!!! 

  • Cisco Secure URT EOL documentation states the appropriate solution to URT replacement is Cisco MAB and/or 802.1x.
  • For speed, node conformity, and client requirements we have decided on a Standalone MAB solution, with an 802.1x option later if the client requests it.

 top

_____________________________________________________________________________
Requirements:

  1. Cisco Secure ACS (radius) server minimum v3.2
    1. We chose ACS v4.2 windows based, virtualized on Cisco UCS platform for easy recovery.
  2. List of switches that are URT enabled – to become MAB enabled.
    1. The switch must have a RADIUS configuration and be able to connect to a Cisco secure access control server (ACS).
      1. Catalyst 4500 IOS version for MAB enabled switches.
  3. List of switchports that are URT enabled – to become MAB enabled.
  4. List of MAC addresses already assigned in URT.

 top

_____________________________________________________________________________
Process:

  1. Determined to have both URT and MAB running in the same environment, because all affected switches will not be replaced at the same time.
  2. Collected MAC and Vlan assignments from URT xml file. This file is located on the URT Administration server.
  3. Gathered URT configured switches and switchports. To determine which to prep for MAB.
    1. On CatOS the commands to look for are:
      1. set port membership 4/37-39,4/41 dynamic     !where 4/37-39 is a port range, and 4/41 is an individual port
      2. set vmps server 10.1.1.1 primary     !this points to primary URT server
      3. set vmps server 10.1.1.2     !this points to secondary URT server
    2. Yet To Do: Prep the new switches with the correct port and vlan assignments from URT for MAB. Will be done on an “As Switch Is Replaced” basis.
  4. Installed a Cisco ACS v4.2 server on virtual Windows server 2003.
    1. Yet To Do: Install collected MAC addresses into the radius server on Cisco ACS
  5. For implementation burn in, before going into production. Have the switch replacement team prepare a switch with the appropriate IOS, and connect into a network with communication to the prepared Cisco ACS (radius) server. (waiting for this step)
  6. Have a computer or other node connected to this pre-production network for vlan reassignment testing.

 top

_____________________________________________________________________________
Testing:

To cover customer requirements we tested the following.

  1. DHCP vs. MAB timing
    • To make sure DHCP requests do not time out before MAB VLAN reassignment is complete. If this wasn’t correct the device connected to the MAB port would not get a DHCP assignment.
  2. VLAN Reassignment
    • Make sure VLAN reassignment works on MAB enabled ports per device MAC address.
  3. Same device rapidly moved between different MAB enabled ports.
    • Ensuring the same device can repetitively and rapidly move between MAB enabled ports with no conflicts.
  4. Same MAB enabled port rapidly connected by differing devices.
    • Ensuring the same MAB enabled port can repetitively and rapidly deploy the appropriate VLAN to several different devices.

MAB deployment beginning to end instructions.

 top

_____________________________________________________________________________
References:

  1. Cisco
    1. Configuring MAC Authentication Bypass
    2. Cisco Secure Access Control Server v4.2 Agentless Host Configuration

 top

_____________________________________________________________________________
Errata:

 

 top

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>