All connected devices will share the VLAN ID of the authenticated device. If that device is authenticated, then the switchport will allow multiple other devices to access the network without requiring separate authentication of each device. Multihost Mode: The first device to the network will be submitted to ISE for authentication. This allows each device to be granted a specific VLAN ID according to its endpoint identity profile configured in ISE. Authorized devices are allowed onto the network as normal packets from unauthorized devices are dropped and the switchport remains in the connected state. This host mode is used when there are multiple devices connecting to a single shared switchport through a hub or bridge such as an unmanaged switch. Multi-Authentication Host Mode: Multiple hosts are individually authenticated onto the network. Multidomain authentication allows one device to connect to each of the two switchport domains – one device can connect to the DATA domain, and one device can connect to the VOICE domain. Multidomain Authentication Host Mode: This host mode was created specifically for IP telephony. If multiple devices are detected on the switchport, the switch will put the switchport into an err-disabled state. Single-Host Mode: MAB configured in single-host mode will allow only a single device to be allowed onto the network at a time. There are four host mode options which can be used by MAB: If issues are discovered with all MAB authentication on a specific switch, it may be best to troubleshoot the RADIUS configuration before troubleshooting MAB. This configuration is outside of the scope of this article, and it is assumed that this configuration has already taken place.
In order for MAB to function, the switch must be configured to use the ISE server(s) for RADIUS authentications. If there is no matching endpoint identity in ISE, then the device is authentication session is put into an Unauth state and packets from that device are dropped by the NAD. If a match is found, ISE returns an Access-Accept authorization to the switch and the device is allowed onto the network with a specific VLAN ID tag as configured by the ISE endpoint identity profile. ISE then uses the MAC address from this RADIUS Access-Request packet to query its endpoint identity database for a match. Once the switch learns the MAC address of the device attempting to connect to the network, the switch builds a RADIUS Access-Request packet using the MAC address of the device as the User Name and Calling-Station-ID. These include LLDP, spanning tree, and DTP packets. Almost any packet can be used for MAB, but there are specific types of packets that cannot be used.
Packets that are sent before MAB occurs and packets that are used to learn the MAC address are dropped by the switch. In this article I will be assuming that the NAD being used is a switch.
This hardware-based authentication happens when a device connects to a Network Access Device (NAD) either wired or wirelessly – i.e., a switch, wireless access point, or VPN concentrator. MAB uses the hardware address (MAC address) of the device connecting to the network to authenticate onto the network. MAC Authentication Bypass (MAB) is a method of network access authorization used for endpoints that cannot or are not configured to use 802.1x authentication.
0 kommentar(er)
