Let's test the laptop out with MAB (MAC Authentication Bypass). The idea being that we don't care who logs in, we don't care if they support dot1x, we just care that a particular device (identified by it's MAC address) has certain rules placed on it (such as ACL and VLAN assignment).
Because the laptop (Laptop5-PC at the bottom of the list) is already in the list of endpoints most of the work is already done for us:
We should create a new group for this though:
We then add the laptop to this group:
And add a new AuthZ rule, so that if it is in the Endpoint Identity Group "Bob-MAB", and we are using MAB, then we will permit the traffic:
To switch to MAB we need to disable the dot1x authentication in the Security tab of the NIC properties on the laptop, but even with this disabled, it was not cutting over to MAB.
This was because the timeout was set too high:
3750X#sh run int gi 3/0/20 | i timeout dot1x timeout tx-period 65535 3750X#sh authentication sessions Interface MAC Address Method Domain Status Session ID Gi3/0/20 (unknown) dot1x UNKNOWN Running 0A010132000000510AF7AC47 Gi3/0/3 e411.5b25.c2e9 dot1x DATA Authz Success 0A0101320000004B0A57FC2A Gi3/0/3 0019.e83e.3b09 dot1x VOICE Running 0A0101320000003A02750260 3750X#conf t 3750X(config)#interface GigabitEthernet3/0/20 3750X(config-if)#dot1x timeout tx-period ? <1-65535> Enter a value between 1 and 65535 3750X(config-if)#dot1x timeout tx-period 10 3750X(config-if)#shut 3750X(config-if)# 3750X(config-if)#no shut 3750X(config-if)# 3750X(config-if)#do sh auth sess Interface MAC Address Method Domain Status Session ID Gi3/0/20 (unknown) mab UNKNOWN Running 0A010132000000530AF8FC15 Gi3/0/3 e411.5b25.c2e9 dot1x DATA Authz Success 0A0101320000004B0A57FC2A Gi3/0/3 0019.e83e.3b09 dot1x VOICE Running 0A0101320000003A02750260 3750X(config-if)#1-65535>Setting it lower means we cut over to MAB much quicker (obviously). We have not blocked Bob from reaching the 10.1.4.50 websites though, but can we, if we change the AuthZ policy to this:
3750X(config-if)#do sh auth sess int gi 3/0/20 Interface: GigabitEthernet3/0/20 MAC Address: Unknown IP Address: Unknown Status: Running Domain: UNKNOWN Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Idle timeout: N/A Common Session ID: 0A010132000000550B0A5532 Acct Session ID: 0x0000007C Handle: 0x84000056 Runnable methods list: Method State dot1x Failed over mab Running 3750X(config-if)#Notice that we do not know the MAC address, or IP address. From the previous post, the dACL did not work until we enabled "ip device tracking". But here we do not see the MAC address or IP address, and no dACL has been applied:
3750X#sh ip access-lists interface gi 3/0/20 3750X#So, do we lose this functionality with MAB? Or have I missed a step?
If we look at the auth state on the interface we can see that do1x has failed over (as we would expect) and that MAB is "running":
3750X(config-if)#do sh auth sess int gi 3/0/20 | b Runnable Runnable methods list: Method State dot1x Failed over mab Running 3750X(config-if)#We actually need MAB to show an "authc success" for this all to work.
The odd things here is I don't think I changed anything, but it started working (after a few unplug/plug in of the network cable) and gave me exactly what I needed:
3750X#sh auth sess int gi 3/0/20 Interface: GigabitEthernet3/0/20 MAC Address: e411.5b25.c2e9 IP Address: 10.1.4.202 Status: Running Domain: UNKNOWN Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Session timeout: N/A Idle timeout: N/A Common Session ID: 0A010132000000580B33AD5B Acct Session ID: 0x0000007F Handle: 0x76000059 Runnable methods list: Method State dot1x Running mab Not run 3750X#sh auth sess int gi 3/0/20 Interface: GigabitEthernet3/0/20 MAC Address: e411.5b25.c2e9 IP Address: 10.1.4.202 User-Name: E4-11-5B-25-C2-E9 Status: Authz Success Domain: DATA Security Policy: Should Secure Security Status: Unsecure Oper host mode: multi-auth Oper control dir: both Authorized By: Authentication Server Vlan Policy: 4 ACS ACL: xACSACLx-IP-Deny-AP-DNS-to-Bob-57591fa3 Session timeout: 3600s (local), Remaining: 3600s Timeout action: Reauthenticate Idle timeout: 65535s (local), Remaining: 65536s Common Session ID: 0A010132000000580B33AD5B Acct Session ID: 0x0000007F Handle: 0x76000059 Runnable methods list: Method State dot1x Failed over mab Authc Success 3750X#As you can see, we start with dot1x, which shows "running", we get the MAC address and IP address. dot1x fails (because we have disabled the 802.1x support in the Authentication tab on the NIC properties, and we fail over to MAB. This time, however, we see an Authc success for MAB, and because of this, we get the ACL, and access to http://10.1.4.101 is denied.
Not sure why it started working. I did create a new AuthZ profile, called AuthC-Bob-MAB, but this is not different to the existing one (apart from hard-coding the VLAN):
The profile was changed to reflect this:
Maybe I forgot to press save or something.
But at least it's working, and I am learning and getting faster, which is what is needed.
I think it's time to start playing with a new toy! Maybe some WSA should be next.