MAC Authentication Bypass

We all know that 802.1x is a great way to protect your network by authenticating everything you connect to your switch ports, However, one disadvantage of 802.1X is that your end devices have to support it. Let's imagine the device which I am using is not 802.1x compatible then in that case what we can do to provide the security? There is no problem with most modern devices but what if you have a network printer or camera that doesn’t support 802.1X?

I have already discussed 802.1x in-depth in my previous article:

https://www.dhirubhai.net/pulse/how-ieee-8021x-dot1x-port-based-authentication-works-priyanka-kumari/

The default behavior of 802.1X is to deny access to the network when authentication fails. This behavior was discovered to be undesirable in many customer deployments because it does not allow for guest access, nor does it allow employees to remediate their computer systems and gain full network access. The next phase in handling 802.1X authentication failures was to provide an "Auth-Fail VLAN" to allow a device/user that failed authentication to be granted access to a VLAN that provided limited resources.

This step was a step in the right direction, but was still not as practical as needed, especially in environments that must use MAC Authentication Bypass for all the printers and other nonauthenticating devices. With the default behavior of 802.1X, an administrator would have to configure ports for printers and other devices that do not have supplicants differently from the ports on which they planned to do authentication.

Therefore, Cisco created Flexible Authentication (Flex-Auth). Flex-Auth allows a network administrator to set an authentication order and priority on the switchport, thereby allowing the port to attempt 802.1X, MAC Authentication Bypass, and then Web Authentication in order. All of these functions are provided while maintaining the same configuration on all access ports, thereby providing a much simpler operational model for customers than traditional 802.1X deployments.

There are multiple methods of authentication on a switchport: 802.1X (dot1x), MAC Authentication Bypass (MAB), and Web-based Authentication (Web-Auth). With 802.1X authentication, the switch sends an identity request (EAP-Identity-Request) periodically after the link state has changed to "up" (see the "Authentication Settings - Timers " section for recommended timer changes). Additionally, the endpoint supplicant should send a periodic EAP over LAN Start (EAPoL-Start) message into the switchport to speed up authentication. If a device is not able to authenticate, it merely has to wait until the dot1x timeout occurs, and MAC Authentication Bypass (MAB) will occur. Assuming the device MAC address is in the correct database, it will then be authorized to access the network.

If you can't use 802.1X but still want to secure your switch ports somehow, you can use MAC Authentication Bypass (MAB). When you enable MAB on a switchport, the switch drops all frames except for the first frame to learn the MAC address. Pretty much any frame can be used to learn the MAC address except for CDP, LLDP, STP, and DTP traffic. Once the switch has learned the MAC address, it contacts an authentication server (RADIUS) to check if it permits the MAC address.

Simply we can say that MAB is used to authenticate non-802.1x capable devices (ex: printers, IP phones).

Besides MAC addresses, MAB can’t check anything else..MAB is not a secure authentication method compared to other authentication methods because anyone can spoof mac address.

There are two ways how you can configure MAB:

• Standalone: you only use MAB for authentication.
• Fallback: we use MAB as a fallback for 802.1X. The switch will first attempt 802.1X and when it fails, it uses MAB for authentication.

By default, MAB only supports a single endpoint (device) per switchport. When it sees more than one source MAC address, it causes a security violation. This can be an issue when for example, you use an IP phone with a PC behind it. It’s possible to change this behavior:

• Single-host mode: only a single source MAC address can be authenticated. When the switch detects another source MAC address after authentication, it triggers a security violation. This is the default setting.
• Multi-domain authentication host mode: You can authenticate two source MAC addresses, one in the voice VLAN and another one in the data VLAN. This is for the scenario where you have an IP phone and a PC on a single switchport. Any more source MAC addresses trigger a security violation.
• Multi-authentication host mode: You can authenticate multiple source MAC addresses. You can use this when your switchport is connected to another switch. Each source MAC address is separately authenticated.
• Multi-host mode: The switch allows multiple source MAC addresses. Only the first source MAC address is authenticated, all other source MAC addresses are automatically permitted.

Please be noted from here onwards I will be using ISE as my radius server for the authentication.

When MAB is enabled on the switch interface, then the switch will do the following things 

The switch takes each new mac address and sends it to Radius Server in case of cisco we use ISE for authentication as radius server.

Fills Radius Attributes (Username and Password) with MAC address.

 Fills Radius Attribute (Calling Station ID) with the MAC address.

A ISE can authenticate MAB devices either based upon Calling Station ID or Username and Password.

-- If Process Host Lookup is enabled on ISE then Authentication is done based upon Calling Station ID.

--If Process Host Lookup Is disabled on ISE then Authentication is done based upon username/ password.

 In order to enable Process Host Lookup on ISE (Policy > Policy Elements > Results > Authentication > Allowed Protocols).

 ISE treats differently when the process host lookup is enabled compared to it is disabled.

Process Host Lookup is disabled: Then it takes the username and password as MAC address and checks in the Internal User Database.

 Process Host Lookup is enabled: Then it takes calling station id as MAC address and checks in the internal endpoints database.

It is recommended to enable Process Host Lookup in ISE.

How the switch will know whether the end device is 802.1x compatible or not?

Authentication Timeout in 802.1x

By using Authentication Timeout Switch knows whether end device which is connected to an interface is having 802.1x supplicant or not.

 By default Switch sends EAP request identity messages every 30 seconds to the endpoint, if the switch does not receive the response for three EAP request identity messages ( 90 seconds) then it assumes the host is not having 802.1x supplicant and begins MAB process.

It is recommended to change the Authentication timeout period to less value.

MAB implementation is done in two steps:

i) Configuration on Network Access Device ( Ex: Switch)

ii) Configuration on Radius Server ( Ex: ISE)

 Note: No configuration is required on supplicant compared to 802.1x authentication.Supplicant is nothing but your end device.

 Configuration on Network Access is divided into two parts

i) Configuration on Network Access Device to communicate with Radius Server

ii)Configuration on Network Access Device for Supplicant

Configuration on Network Access Device to communicate with Radius Server

i)Enable AAA on the switch

Switch (config)# aaa new-model

ii)Configure Authentication protocol to be used on the switch ( either Radius or Tacacs+)

Switch (config) # aaa authentication dot1x default group radius

iii) Configure Radius Server IP address and Secret key for encryption between the network device and radius server

 Switch(config)# radius-server host 192.168.1.1 key cciesec

Configure Source IP address on the switch for ISE ( Optional but recommended)

Switch(config)# ip radius source-interface loo0

Note:  We can also configure Authorization and Accounting protocols that need to be used, but in this case, I am not using it.

Configuration of Network Access Device for Supplicant

i) Enable Mab on the interface where the end device is connected

Switch (config)# interface fa0/1

Switch (config-if)# mab

ii) Enable prompting of authentication for the End device.

Switch(config-if)# authentication port-control auto

Configuration on Radius Server is divided into three parts

Configure Network devices so that it can communicate with the switch.

ii) Configure MAC address in the identity database.

 iii) Configure one authentication and authorization policy that matches with MAB Condition.

Configure Network Device so that it can communicate with the switch

 To add Network Access Device in ISE, navigate to Administration> Network Resources > Network Devices > Add

Note: The important thing is shared the secret need to be the same on ISE and Switch then only Switch can communicate with ISE.

Configure MAC address in the identity database

To add MAC address in ISE database, navigate to Administration > Identities > End Points > Add

 Configure one authentication and authorization policy that matches with MAB Condition

To configure the Authentication Policy, navigate to Policy > Authentication > Authentication Policy

 To configure Authorization Policy, navigate to Policy > Authorization > Authorization Policy

Let us understand this in real-time :

The following steps walk you through the configuration of Flex-Auth and the configurable actions for authentication high availability.

3750 is the Cisco Switch model

1. Configure the authentication method priority on the switchports. There are certain deployment methods where the MAC Authentication Bypass (MAB) should occur before 802.1X authentication. For those corner cases, Cisco switches do allow for a network administrator to set a user-definableauthentication order. However, the best practice is to maintain the order of dot1x and then MAB.

C3750X(config-if-range)#authentication priority dot1x mab

2.Configure the authentication method order on the switchports.

An authentication method is required to instruct the switch on which group of RADIUS servers to use for 802.1X authentication requests:

C3750X(config-if-range)#authentication order dot1x mab

Configure the port to use Flex-Auth, as follows:

C3750X(config-if-range)#authentication event fail action next-method

3. Configure the port to use a local VLAN when the RADIUS server is down. In the "Configure the Global RADIUS Commands" procedure, we configured the RADIUS server entry to use a test account that will proactively alert the switch when Cisco ISE has stopped responding to RADIUS requests. Now we will configure the switchport to locally authorize the port when that server is found to be "dead" and reinitialize authentication when the server is up again.

C3750X(config-if-range)#authentication event server dead action reinitialize vlan vlan-id

This feature was introduced to resolve problems with multiple authentication hosts on a single port when a portion of them already authenticate while the RADIUS server is operational, and others (new hosts) are trying to authenticate when the RADIUS server is down.

4. Configure the port to allow a phone onto the network when the RADIUS server is down.

A phone is placed on the voice domain after successful authentication by configuring the RADIUS server to pass down the attribute device-traffic-class=voice. However, when the RADIUS server is not available, the phone won't be able to access the voice network and therefore cannot operate. As a result, there is a new feature called Critical Voice VLAN.

With this new feature, when the port is in critical authentication mode and traffic coming from the host is tagged with the voice VLAN, the device (a phone) is put into the configured voice VLAN for the port. The phone learns the voice VLAN identification through Cisco Discovery Protocol (CDP), Link Layer Discovery Protocol (LLDP), or DHCP. The command to enable this feature is:

C3750X(config-if-range)#authentication event server dead action authorize voice

5.Set the host mode of the port.The default behavior of an 802.1X-enabled port is to authorize only a single MAC address per port. There are other options, which we have already discussed above most notably Multi-Domain Authentication (MDA) and Multiple Authentication (Multi-Auth) modes. Duringthe initial phases of any Cisco TrustSec deployment, it is best practice to use Multi-Auth mode to ensure that there is no denial of service while deploying 802.1X.

The multi-auth mode will allow virtually unlimited MAC addresses per switchport, and require an authenticated session for every MAC address. When the deployment moves into the late stages of the authenticated phase, or into the enforcement phase, it is then recommended to use Multi-Domain mode. Multi-Domain Authentication will allow a single MAC address in the data domain and a single MAC address in the voice domain per port.

C3750X(config-if-range)#authentication host-mode multi-auth

6. Configure the violation action. When an authentication violation occurs, such as when there are more MAC addresses than are allowed on the port, the default action is to put the port into an error-disabled state. Although this behavior may seem to be nice and secure, it can create an accidental denial of service, especially during the initial phases of deployment. Therefore, we will set the action to be restricted. This mode of operation will allow the first authenticated device to continue with its authorization and deny any additional devices.

C3750X(config-if-range)#authentication violation restrict

MAB limitations

MAB is not a secure method compared to other authentication methods so that MAB device network access should be restricted.

MAB does support advanced authorization features of ISE, such as

i)                    Downloadable ACL’s

ii)                   Dynamic VLAN

iii)                 URL redirection

iv)                 Secure Group Tags ( SGT)

v)                  Smart Port Macros

 It is not recommended to implement Dynamic VLANs on the devices that do not have 802.1x supplicant.