SNAC 802.1x Mac Authentication Bypass (MAB) with a Cisco Switch and IAS
Before we start, as a heads up, this article covers a specific MAB solution only and you're assumed to know how to setup a 802.1x authentication environment with SNAC and Cisco switches. Basics of 802.1x installation is not the subject of this article. In other words, this article is to be used on an existing, working, wired 802.1x environment.
To begin with, bypassing a network adapter by its MAC adress is a need when you want to completely secure all the UTP cables hanging around by using 802.1x authentication, because devices like printers or ip phones cannot respond to 802.1x requests.
Symantec Network Access Control 6100 Appliances include a builtin MAB feature with a clear and easy configuration, however I couldn't get it working in spite of all the advanced stuff I've been doing. I didn't want to open a case for this because it's not the best idea to use LAN Enforcer's local MAC database, since you have to back it up regularly if you do so. There's an LDAP option in the appliance configuration but I didn't try it as well, since this method looks easier to me.
Thus this article will cover how to create a MAC Authentication Bypass (MAB) using Microsoft IAS as a radius server and a Cisco switch.
1) Particular switch ports should be configured to initiate MAB if there is no 802.1x response
When dot1x is enable on a switch globally and on the specific shitch port, that switch port will only talk dot1x until the authentication is complete. But you'll have times when authentication requests are not responded. These can be guest clients where 802.1x is not enabled on their ethernet configuration, and these clients can be moved to a guest VLAN.
On the other hand, a network printer or an IP phone will not respond to the 802.1x, because they are not capable of it. And you cannot move them to a guest VLAN since they have to be accessable from production. To keep these clients in the production VLAN, you need to enable MAC bypass feature on the Cisco switch (depending on IOS).
The command we need is basically "dot1x mac-auth-bypass" :
This command enables the port to send the authentication request to the radius server configured even if there is no 802.1x response from the connected client when all timeouts are expired. So it may take some time before the request reaches to the radius server (both NAC appliance as a Radius proxy and IAS as the domain Radius server).
There are a few more commands depending on IOS, such as "dot1x max-reauth-req". You just need to check the available options on your Cisco switch.
2. You need domain users in correspond to MAC adresses
When MAB is activated, switch will send authentication package as if the username is the MAC adress of the connected client (such as a network printer). To be able to authenticate these requests, you're going to need to create domain users with those MAC adresses as if they are their user names:
Now, IAS will try to authenticate the user according to its policies since the user now exists in the domain.
I'd create a new OU for this clients to keep them separated and to prevent any confusion.
3. You need a new policy in IAS
To be able to authenticate those clients with only the MAC information of the client included in the requests, you need to have a special policy for those clients.
Create a quick new policy in Microsoft IAS, move it to the top of all policies and then edit the policy to match the below configuration:
Policy conditions will include one Callin-Station-ID parameter for an ethernet to be allowed. And the value is the MAC adress. So you can keep adding all the necessary MAC adresses into the same policy. This MAC adress format matches our Symantec LAN Enforcers'. Other devices may differ, you may need to check the event logs of IAS to verify the format.
After adding the MAC adress click on "Edit Profile" on the above window. Then the below window will appear, after you click the Authentication tab of course.
We'll only use "Unencrypted authentication (PAP, SPAP)" protocol to authenticate these users. So make sure no "EAP Methods" are selected nor any other authentication:
Next, go to the Advanced tab on the same window and match the below view. You'll probably only need to add Ignore-User-Dialin-Properties attribute by clicking the add button.
4. Allow protocols other then EAP
From the LAN Enforcer configuration options on the SEP Manager, you need to select the "Forward protocols beside EAP" option to be able to authenticate MAC adresses with PAP authentication.
And that is all for the configuration.
Now you'll see the matching MAC adresses are granted authentication and switch will open port for them. You cannot enforce anything for those clients from LAN Enforcers. You'll not even see a detailed debug log for their connections on the Enforcer since this authentication method is not EAP.
I hope this helps all of the Symantec guys out there playing with 802.1x NAC.
Bekir Burak Durmaz