CCIE Security Lab: MAB-ISE in Wonderland



Let's test the laptop out with MAB (MAC Authentication Bypass). The idea being that we don't care who logs in, we don't care if they support dot1x, we just care that a particular device (identified by it's MAC address) has certain rules placed on it (such as ACL and VLAN assignment).

Because the laptop (Laptop5-PC at the bottom of the list) is already in the list of endpoints most of the work is already done for us:


We should create a new group for this though:


We then add the laptop to this group:


And add a new AuthZ rule, so that if it is in the Endpoint Identity Group "Bob-MAB", and we are using MAB, then we will permit the traffic:


To switch to MAB we need to disable the dot1x authentication in the Security tab of the NIC properties on the laptop, but even with this disabled, it was not cutting over to MAB.

This was because the timeout was set too high:
3750X#sh run int gi 3/0/20 | i timeout
 dot1x timeout tx-period 65535
3750X#sh authentication sessions 

Interface  MAC Address     Method   Domain   Status         Session ID
Gi3/0/20   (unknown)       dot1x    UNKNOWN  Running        0A010132000000510AF7AC47
Gi3/0/3    e411.5b25.c2e9  dot1x    DATA     Authz Success  0A0101320000004B0A57FC2A
Gi3/0/3    0019.e83e.3b09  dot1x    VOICE    Running        0A0101320000003A02750260

3750X#conf t
3750X(config)#interface GigabitEthernet3/0/20
3750X(config-if)#dot1x timeout tx-period ?
  <1-65535>  Enter a value between 1 and 65535

3750X(config-if)#dot1x timeout tx-period 10
3750X(config-if)#shut
3750X(config-if)#
3750X(config-if)#no shut
3750X(config-if)#                 
3750X(config-if)#do sh auth sess

Interface  MAC Address     Method   Domain   Status         Session ID
Gi3/0/20   (unknown)       mab      UNKNOWN  Running        0A010132000000530AF8FC15
Gi3/0/3    e411.5b25.c2e9  dot1x    DATA     Authz Success  0A0101320000004B0A57FC2A
Gi3/0/3    0019.e83e.3b09  dot1x    VOICE    Running        0A0101320000003A02750260

3750X(config-if)#
Setting it lower means we cut over to MAB much quicker (obviously). We have not blocked Bob from reaching the 10.1.4.50 websites though, but can we, if we change the AuthZ policy to this:


3750X(config-if)#do sh auth sess int gi 3/0/20
            Interface:  GigabitEthernet3/0/20
          MAC Address:  Unknown
           IP Address:  Unknown
               Status:  Running
               Domain:  UNKNOWN
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A010132000000550B0A5532
      Acct Session ID:  0x0000007C
               Handle:  0x84000056

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Running

3750X(config-if)#
Notice that we do not know the MAC address, or IP address. From the previous post, the dACL did not work until we enabled "ip device tracking". But here we do not see the MAC address or IP address, and no dACL has been applied:
3750X#sh ip access-lists interface gi 3/0/20
3750X#
So, do we lose this functionality with MAB? Or have I missed a step?

If we look at the auth state on the interface we can see that do1x has failed over (as we would expect) and that MAB is "running":
3750X(config-if)#do sh auth sess int gi 3/0/20 | b Runnable
Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Running

3750X(config-if)#
We actually need MAB to show an "authc success" for this all to work.

The odd things here is I don't think I changed anything, but it started working (after a few unplug/plug in of the network cable) and gave me exactly what I needed:
3750X#sh auth sess int gi 3/0/20 
            Interface:  GigabitEthernet3/0/20
          MAC Address:  e411.5b25.c2e9
           IP Address:  10.1.4.202
               Status:  Running
               Domain:  UNKNOWN
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0A010132000000580B33AD5B
      Acct Session ID:  0x0000007F
               Handle:  0x76000059

Runnable methods list:
       Method   State
       dot1x    Running
       mab      Not run

3750X#sh auth sess int gi 3/0/20 
            Interface:  GigabitEthernet3/0/20
          MAC Address:  e411.5b25.c2e9
           IP Address:  10.1.4.202
            User-Name:  E4-11-5B-25-C2-E9
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  4
              ACS ACL:  xACSACLx-IP-Deny-AP-DNS-to-Bob-57591fa3
      Session timeout:  3600s (local), Remaining: 3600s
       Timeout action:  Reauthenticate
         Idle timeout:  65535s (local), Remaining: 65536s
    Common Session ID:  0A010132000000580B33AD5B
      Acct Session ID:  0x0000007F
               Handle:  0x76000059

Runnable methods list:
       Method   State
       dot1x    Failed over
          
       mab      Authc Success

3750X#
As you can see, we start with dot1x, which shows "running", we get the MAC address and IP address. dot1x fails (because we have disabled the 802.1x support in the Authentication tab on the NIC properties, and we fail over to MAB. This time, however, we see an Authc success for MAB, and because of this, we get the ACL, and access to http://10.1.4.101 is denied.

Not sure why it started working. I did create a new AuthZ profile, called AuthC-Bob-MAB, but this is not different to the existing one (apart from hard-coding the VLAN):


The profile was changed to reflect this:



Maybe I forgot to press save or something.

But at least it's working, and I am learning and getting faster, which is what is needed.

I think it's time to start playing with a new toy! Maybe some WSA should be next.

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »