Using MAB (MAC Authentication Bypass) with the Symantec LAN Enforcer appliance

Article:TECH91734  |  Created: 2009-01-09  |  Updated: 2013-07-22  |  Article URL http://www.symantec.com/docs/TECH91734
Article Type
Technical Solution


Issue



Using MAC Authentication Bypass (MAB) with the Symantec LAN Enforcer appliance and Symantec Network Access Control (SNAC).

 


Solution



About the MAC Address Authentication Bypass feature

The Media Access Control (MAC) Address Authentication Bypass (MAB) feature allows you to authenticate unmanaged devices, such as printers, by MAC address in 802.1x-enabled environments. If the LAN Enforcer receive a MAB request from the switch, it will attempt to validate that MAC address against a local address database, then against LDAP and RADIUS databases, in that order.

How the LAN Enforcer works for MAC address authentication

1.   The Enforcer checks the model number of the requesting switch. If we don’t support MAB for this model, the Enforcer will stop processing the request. Current supported switch vendors include: Cisco, HP, Foundry, and Extreme.

2.  The Enforcer checks the user name inside the request. Since different switches may use different formats for user names, the Enforcer will match the user name according to

the switch’s manual. Some switches use MAC addresses without hyphens as user name, some use a hyphen, some uses XXXX.XXXX.XXX.

3. The Enforcer checks if the password attribute is correct or not. Again, different switch use different password encryption algorithms. Cisco uses MD5, HP uses CHAP, Foundry uses PAP.

4. If all three criteria pass, the Enforcer will treat the request as a valid MAB request.



MAB commands


The MAB commands enable you to implement MAB with a LAN Enforcer appliance on the following 802.1x-aware switches:

  • Cisco Catalyst Switch 3550 Series
  • Extreme Networks
  • Hewlett-Packard ProCurve Switch 2600 Series
  • Foundry Networks
  • 3COM


When a LAN Enforcer appliance receives a MAB request, it looks up the address in the local MAB database first. If the entry is located in the local MAB database, the LAN Enforcer appliance authenticates the client based on 802.1x-aware switchmodel. If an entry cannot be located in the local MAB database, the LAN Enforcer appliance then tries to connect to any available LDAP server. If an LDAP server is not available to authenticate a client's MAC address or a client's MAC address is not available in the database of the LDAP server, the LAN Enforcer appliance then tries to connect to any available RADIUS server. After the LAN Enforcer appliance receives the authentication result, it then sends a message to the RADIUS server to accept or reject the packet. The LAN Enforcer appliance then completes the authentication session.

MAB disable command

The MAB disable command disables MAB on a LAN Enforcer appliance.
The mab disable command uses the following syntax (LAN Enforcer appliance only):

mab disable

The following example explains how to disable MAB on a LAN Enforcer appliance:

Enforcer: mab
Enforcer(mab)#disable

Note: In Symantec Network Access Control 12.1, MAB is also configurable from the user interface. In LAN Enforcer Settings Advanced, select MAC Authentication Bypass, and uncheck Enable.

MAB enable command

The MAB enable command enables MAB on a LAN Enforcer appliances.
The MAB enable command uses the following syntax (LAN Enforcer appliance only):

mab enable

The following example explains how to enable MAB on a LAN Enforcer appliance:

Enforcer: mab
Enforcer(mab)#enable

Note: In Symantec Network Access Control 12.1, MAB is also configurable from the user interface. In LAN Enforcer Settings Advanced, select MAC Authentication Bypass, and check Enable.

MAB LDAP commands


The MAB LDAP commands establish communication between a LAN Enforcer appliance and a LDAP server. After you establish communication between these two devices, you can enable MAB to authenticate clients by using the database on an LDAP server instead of the local MAB database on a LAN Enforcer appliance.

MAB LDAP disable command

The MAB LDAP disable command disables MAB on an LDAP server instead of a LAN Enforcer appliance.

The MAB LDAP disable command uses the following syntax (LAN Enforcer appliance only):

mab ldap disable

The following example explains how to disable MAB on an LDAP server instead of a LAN Enforcer appliance:

Enforcer:# mab
Enforcer(mab):# ldap disable

MAB LDAP enable command

The MAB LDAP enable command disables MAB on a LDAP server instead of a LAN Enforcer appliance.

The mab LDAP enable command uses the following syntax (LAN Enforcer appliance only):

mab ldap enable

The following example explains how to disable MAB on a LDAP server instead of a LAN Enforcer appliance:

Enforcer:# mab
Enforcer(mab):# ldap enable

MAB LDAP host command

The mab ldap host command specifies the host name of a LDAP server if you plan to authenticate clients by using MAB on a LDAP server instead of a LAN Enforcer appliance.

The mab ldap host command uses the following syntax (LAN Enforcer appliance only):

mab ldap host string

where:
string represents the host name of a designated LDAP server with which the LAN Enforcer appliances must establish a connection.

The following example explains how to specify the host name for a LDAP server if you plan to authenticate clients by using MAB on a LDAP server instead of a LAN Enforcer appliance:

Enforcer: mab
Enforcer(mab): ldap host www.symantec.com

MAB LDAP password command

The mab ldap password command specifies the password on a LDAP server if you plan to authenticate clients by MAB on a LDAP server instead of a LAN Enforcer appliance.

The mab ldap password command uses the following syntax (LAN Enforcer appliance only):

mab ldap password string

where:
string represents the password that enables the LAN Enforcer appliance to connect to a designated LDAP server.

The following example explains how to specify the password for a LDAP server if you plan to authenticate clients by using MAB on a LDAP server instead of a LAN Enforcer appliance:

Enforcer: mab
Enforcer(mab): ldap password symantec

MAB LDAP port command

The mab ldap port command specifies the port number on a LDAP server if you plan to authenticate clients by using MAB on a LDAP server instead of a LAN Enforcer appliance.

The mab ldap port command uses the following syntax (LAN Enforcer appliance only):

ldap enable | disable | host <hostname> | password <string> | port <number>

where:

  • disable Disable Enforcer MAB LDAP lookup feature
  • enable Enable Enforcer MAB LDAP lookup feature
  • host Configure the host of the LDAP server
  • password Configure the key to access the LDAP server
  • port Configure the port of the LDAP server


The following example explains how to specify the port number on a LDAP server if you plan to authenticate clients by using MAB on a LDAP server instead of a LAN Enforcer appliance:

Enforcer: mab
Enforcer(mab): ldap port 45298

MAB show command

The mab show command enables you to display the following information:

  • Whether the MAC authentication bypass is enabled or disabled.
  • Whether lookup in the MAC LDAP database on the LDAP server is enabled or disabled.
  • Host name of a LDAP server
  • Port number of a LDAP server
  • Password for a LDAP server


The mab show command uses the following syntax:

show [ldap]

where:
ldap Show LDAP server configuration

Enforcer(mab)# show
MAC Address Bypass: Disable
MAC LDAP lookup: Disable
LDAP server host: www.symantec.com
LDAP server port: 1283
LDAP server password: symantec

 




Legacy ID



2009010912470048


Article URL http://www.symantec.com/docs/TECH91734


Terms of use for this information are found in Legal Notices