Mac Authentication For Cisco

We are starting to roll out ClearPass and MAC authentication using Cisco switches. We are having problems with Cisco phones and trying to profile them correctly. We have the following config on the ports Interface gig1/0/1 switchport access vlan 501 switchport mode access switchport voice vlan 6. Because the MAC address of the device is used as the authentication credentials, an attacker can easily gain network access by spoofing the MAC address of previously authenticated clients. Deploying MAC-Based Access Control in Cisco ISE Below are the steps necessary in order to deploy MAC-based Access Control in Cisco ISE.

Overview

When setting up an enterprise wireless network, it is common to configure WPA2-Enterprise authentication with a centralized authentication server to provide heightened security for clients connecting to the network, while still allowing for easy and scalable management of authorized users. However, IT administrators may still encounter some drawbacks with this method of authentication. While a username and password provides extra security, users may find remembering an extra set of credentials to be cumbersome when trying to get connected, and may be better served by using a private PSK. Additionally, certain devices may not support WPA2-Enterprise authentication, and would require an additional PSK SSID to be set up to connect to the same network, increasing wireless overhead and compromising on security. Identity PSK, with RADIUS authentication resolves these issues by acting as a standard WPA2 PSK SSID to clients, while authenticating clients to a central server based on their MAC address and allowing different PSKs to be set for specific clients or groups of clients.

This article will provide a walk-through of how to set up Identity PSK in Dashboard, as well as on FreeRADIUS and on Cisco ISE.

This feature is supported only on firmware 26.5 and above.

1. Components:

Cisco ISE Version 2.1

Cisco switch C3560E with IOS 15.0(2)SE7

Windows 7/8 VMs

2. Network topology:

I’m going to use a very simple topology for this example. NAD (SW1) has connectivity to Authentication Server (ISE) and port G0/9 that goes to a server with VMs. Windows 7 VM’s MAC will be added to ISE’s endpoint database.

3. Configuring Cisco Switch

As a first step we have to enable aaa new model, identify our authentication group and add the ISE server.

Now let’s configure our supplicant-facing port. Something I learned hard way – if port isn’t hardcoded as an access, your switch won’t even take MAB or authentication commands:

Mac Authentication Bypass Cisco Ise

Mac Authentication For Cisco

So we can either configure switchport as a host, or just hardcode it as an access. I’m going to also assign a VLAN to the port.

Now we can configure mab and port-control as apposed to above

Let’s do the actual configuration

At this point switch configuration is done. We’ll get back to our switch to check some debugs later.

Best Overall:Disk Drill is free and easy to download as the installer is only about 20 MB big. We were able to get it both downloaded and installed in just under 5 minutes.As we all know, the first couple of hours when we experience data loss are crucial, and Disk Drill definitely doesn’t waste any time. The installation process is very simple. As soon as you launch the program, it will be listing all the available drives in the impressive user interface.It also lists the most important features that could help you in specific data recovery, so you’ll know where to head from there. In a single click, you can start the recovery, but be aware that it might take a few minutes.For a free version of a data recovery tool – we were surprised at the compatibility offered in the free version of Disk Drill. Keep on reading as you’ll find some of the best recovery software we’ve tested on Mac! Free data recovery software for mac os.

4. Adding NAD to ISE

Go to Administration -> Network Devices

Click “Add” and enter parameters of your NAD. Don’t forget RADIUS shared KEY.

Now let’s add a static entry of our Windows 7 client. From the Home ISE dashboard go to Total Endpoints and then click Add and enter your device’s MAC address.

The configuration is done. Let’s connect our VM and see what happens.

5. Checking debugs on a switch and ISE server

Let’s enable RADIUS debugs on a switch

We can see successful authentication below. Please note the following RADIUS attributes: NAS-Port-Type and Service-Type

On ISE go to Operations -> Live Log and click on authenticated session:

If we scroll down, we can see lots of details for this particular session, but let’s check out why we’ve chosen these particular Authentication and Authorization Policies:

Go to Policy -> Authentication and click on Edit button next to MAB to expand the policy. As we can see, Authentication Policy rule MAB is matched if condition Wired_MAB or Wireless_MAB is met. Meeting one of these conditions triggers authentication from Internal Endpoints.

Mac Authentication Cisco

Now let’s check the actual Wired_MAB condition (as we are connecting to wired switch port). Go to Policy -> Policy Elements -> Conditions -> Compound Conditions and click our Wired_MAB condition in question

Remember our RADIUS attributes from the switch debug? NAS-Port-Type and Service-Type. This is how ISE figures out that we don’t have dot1x supplicant and have to use MAB.

Now let’s check what exactly is happening with Authorization policy. We had Basic_Authenticated_Access being selected in our live logs details. Go to Policy -> Authorization. We can see that condition “Network_Access_Authentication_Passed” is required for Basic_Authenticated_Access policy rule with PermitAccess result.

Cisco Authentication Port Control Auto

Network_Access_Authentication_Passed condition name is self-explanatory, but let’s check the condition. Go to Policy-Policy Elements -> Conditions -> Authorization -> Compound Conditions and check our condition in question:

Cisco

We can see that successful authentication is the only requirement for this Authorization Condition:

So this is what triggers our successful Authorization after Endpoint MAC address is Authenticated against ISE Internal Endpoint database.

We can also quickly check some MAB related stats on the switch. Show MAB all will display ports with enabled bypass.

Interfaces with different authentication methods including MAB can be viewed with show authentication sessions command:

And we can see more session details by looking into interface or session ID. Output should be the same.

This summarizes MAB. It’s not used that much in production environment these days as even very simple devices like printers and scanners can now support supplicants, but I think playing with MAB is a simple way to understand how Authentication and Authorization Policies work in ISE.

Cisco Authentication Failed

In next post I’ll probably have fun with ACLs.

Comments are closed.