Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SNAC 802.1x Mac Authentication Bypass (MAB) with a Cisco Switch and IAS

Created: 12 Sep 2009 • Updated: 24 Sep 2009 | 7 comments
Language Translations
Bekir's picture
+5 5 Votes
Login to vote

Hello all,

Before we start, as a heads up, this article covers a specific MAB solution only and you're assumed to know how to setup a 802.1x authentication environment with SNAC and Cisco switches. Basics of 802.1x installation is not the subject of this article. In other words, this article is to be used on an existing, working, wired 802.1x environment.

To begin with, bypassing a network adapter by its MAC adress is a need when you want to completely secure all the UTP cables hanging around by using 802.1x authentication, because devices like printers or ip phones cannot respond to 802.1x requests.

Symantec Network Access Control 6100 Appliances include a builtin MAB feature with a clear and easy configuration, however I couldn't get it working in spite of all the advanced stuff I've been doing. I didn't want to open a case for this because it's not the best idea to use LAN Enforcer's local MAC database, since you have to back it up regularly if you do so. There's an LDAP option in the appliance configuration but I didn't try it as well, since this method looks easier to me.

Thus this article will cover how to create a MAC Authentication Bypass (MAB) using Microsoft IAS as a radius server and a Cisco switch.

1) Particular switch ports should be configured to initiate MAB if there is no 802.1x response
When dot1x is enable on a switch globally and on the specific shitch port, that switch port will only talk dot1x until the authentication is complete. But you'll have times when authentication requests are not responded. These can be guest clients where 802.1x is not enabled on their ethernet configuration, and these clients can be moved to a guest VLAN.

On the other hand, a network printer or an IP phone will not respond to the 802.1x, because they are not capable of it. And you cannot move them to a guest VLAN since they have to be accessable from production. To keep these clients in the production VLAN, you need to enable MAC bypass feature on the Cisco switch (depending on IOS).

The command we need is basically  "dot1x mac-auth-bypass" :

switch_port_MAB_conf.PNG

This command enables the port to send the authentication request to the radius server configured even if there is no 802.1x response from the connected client when all timeouts are expired. So it may take some time before the request reaches to the radius server (both NAC appliance as a Radius proxy and IAS as the domain Radius server).

There are a few more commands depending on IOS, such as "dot1x max-reauth-req". You just need to check the available options on your Cisco switch.

2. You need domain users in correspond to MAC adresses
When MAB is activated, switch will send authentication package as if the username is the MAC adress of the connected client (such as a network printer). To be able to authenticate these requests, you're going to need to create domain users with those MAC adresses as if they are their user names:

domain_user_with_mac.PNG

Now, IAS will try to authenticate the user according to its policies since the user now exists in the domain.

I'd create a new OU for this clients to keep them separated and to prevent any confusion.

3. You need a new policy in IAS
To be able to authenticate those clients with only the MAC information of the client included in the requests, you need to have a special policy for those clients.
Create a quick new policy in Microsoft IAS, move it to the top of all policies and then edit the policy to match the below configuration:

Policy conditions will include one Callin-Station-ID parameter for an ethernet to be allowed. And the value is the MAC adress. So you can keep adding all the necessary MAC adresses into the same policy. This MAC adress format matches our Symantec LAN Enforcers'. Other devices may differ, you may need to check the event logs of IAS to verify the format.

policy_conditions.PNG

After adding the MAC adress click on "Edit Profile" on the above window. Then the below window will appear, after you click the Authentication tab of course.

We'll only use "Unencrypted authentication (PAP, SPAP)" protocol to authenticate these users. So make sure no "EAP Methods" are selected nor any other authentication:

auth.PNG

Next, go to the Advanced tab on the same window and match the below view. You'll probably only need to add Ignore-User-Dialin-Properties attribute by clicking the add button.

advanced.PNG

4. Allow protocols other then EAP
From the LAN Enforcer configuration options on the SEP Manager, you need to select the "Forward protocols beside EAP" option to be able to authenticate MAC adresses with PAP authentication.

besides_eap.PNG

And that is all for the configuration.

Now you'll see the matching MAC adresses are granted authentication and switch will open port for them. You cannot enforce anything for those clients from LAN Enforcers. You'll not even see a detailed debug log for their connections on the Enforcer since this authentication method is not EAP.

I hope this helps all of the Symantec guys out there playing with 802.1x NAC.
 
Best regards,
Bekir Burak Durmaz

 

Comments 7 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

Thanks for sharing.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

0
Login to vote
Bekir's picture

we gotta share to be able to find :)

Best regards,
Bekir Burak Durmaz

+1
Login to vote
Fatih Teke's picture

Thank you Bekir
Nice Article.
Fatih

 Everything works better when everything works together.

0
Login to vote
rjcm's picture

thanks for article.

I implemented this solution and everything worked properly when "policy conditions", in IAS, I put only one MAC address. If I put more than one, the IAS authentication is rejected "IAS_NO_POLICY_MATCH".
Any idea to solve?
Thanks

0
Login to vote
Bekir's picture

How did you add new mac adresses? Did you use the Add button and repeat the process for each one?

Best regards,
Bekir Burak Durmaz

0
Login to vote