Security

Reply
Occasional Contributor II

Native supplicant to use MAB

Hello ,

I have Windows 10 machines having dot1x native supplicant enabled.

I am using EAP -TLS on CPPM

My switch has dot1x and then mab as order and priority .

Suppose one of my machine having native dot1x supplicant but expired certificate try to connect , RADIUS will send reject message

But can my machine go for MAB ?

In which case my machine go for MAB ?

Is it possible for RADIUS to send instruction to use MAB as dot1x is failing

Guru Elite

Re: Native supplicant to use MAB

MAC auth is between a NAS and AAA server. The client/supplicant is not involved.

The NAS decides when MAC auth should be used.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Native supplicant to use MAB

Thanks Tim ,

 

In my case , having windows machines with native supplicant ., how can i instruct my NAS to use MAB for a faulty machine having expired certificate . who will instruct NAS ?  and how Client machine behaves in this case

Guru Elite

Re: Native supplicant to use MAB

You'll have to find out if your NAS supports a MAC auth on a rejected 802.1X authentication.

Note, this only applies to wired networks.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Native supplicant to use MAB

Yes , i am talking about wired only 

 

my NAS is Cisco and HPE mix . 

 

and what config is needed on Switch ? any special command ?

 

And CPPM has no role in deciding this or sending instruction to MAB?

Guru Elite

Re: Native supplicant to use MAB

It should just work with a standard config.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Native supplicant to use MAB

 ok thats great . I am having a confusion that if dot1x supplicant is enabled on my LAPtop . it will never go to MAB . Because if dot1x fails and switch port has config to retry 3 times , the counter will reset after 3 and it will again start with dot1x and never goes to mab

 

below is my switch port config ( cisco)

interface FastEthernet2/2
description 802.1X Enabled: PC
switchport access vlan 301
switchport mode access
switchport voice vlan 455
authentication event server dead action reinitialize vlan 301
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate 36000
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 5
storm-control broadcast level 1.00
!

Guru Elite

Re: Native supplicant to use MAB

Actually, according to Cisco:

"MAB cannot be used as a next method for IEEE 802.1X authentication failures"

You can only use an auth fail VLAN.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Native supplicant to use MAB

ok the requirement is not to have an auth fail vlan .

 

So technically is it not doable ?

 

I understand cisco recommendation . but

as part of POC , we have to showcase as a use case to our customer .

 

and they have limited external users , so they dont want to enable guest access or guest vlan 

 

and as a quick solution they want to allow MAB for external users . 

 

Thats why we want ( also our customer) to have MAB after dot1x failure .

 

So it doable on cisco and HPE ?

 

 

Guru Elite

Re: Native supplicant to use MAB

You have HPE switches or Cisco switches?

As mentioned, Cisco doesn't support this so there's not much that can be done on our end.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: