Sunday, August 31, 2014

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.
 
!
aaa new-model
aaa authentication dot1x default group radius
!    
!
int Fas1/0/2
authentication host-mode single-host 
authentication port-control auto 
mab
!

I haven’t configured ACS yet but let’s see what error message I receive:
 
SW1(config-if)#
mab-ev(Fa1/0/2): Received MAB context create from AuthMgr
mab-ev(Fa1/0/2): Created MAB client context 0x1100000F
    mab : initial state mab_initialize has enter
mab-ev(Fa1/0/2): Sending create new context event to EAP from MAB for 0x1100000F (0000.0000.0000)
mab-sm(Fa1/0/2): Received event 'MAB_START' on handle 0x1100000F
    mab : during state mab_initialize, got event 4(mabStart)
@@@ mab : mab_initialize -> mab_acquiring
SW1(config-if)#
%LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
SW1(config-if)#
mab-ev: Received NEW MAC (8843.e1e3.b1f0) for 0x1100000F
%AUTHMGR-5-START: Starting 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 88011309000000060085099E
SW1(config-if)#
mab-sm(Fa1/0/2): Received event 'MAB_AVAILABLE' on handle 0x1100000F
    mab : during state mab_acquiring, got event 7(mabAvailable)
@@@ mab : mab_acquiring -> mab_authorizing
mab-ev(Fa1/0/2): Starting MAC-AUTH-BYPASS for 0x1100000F (8843.e1e3.b1f0)
SW1(config-if)#
mab-ev(Fa1/0/2): MAB received an Access-Reject for 0x1100000F (8843.e1e3.b1f0)
%MAB-5-FAIL: Authentication failed for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 88011309000000060085099E
mab-sm(Fa1/0/2): Received event 'MAB_RESULT' on handle 0x1100000F
    mab : during state mab_authorizing, got event 5(mabResult)
@@@ mab : mab_authorizing -> mab_terminate
mab-ev(Fa1/0/2): Deleted credentials profile for 0x1100000F (dot1x_mac_auth_8843e1e3b1f0)
mab-ev(Fa1/0/2): Sending event (2) to AuthMGR for 8843.e1e3.b1f0
%AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 88011309000000060085099E
%AUTHMGR-5-FAIL: Authorization failed for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 88011309000000060085099E 
SW1(config-if)#

On ACS I see following error message:

“RADIUS Request dropped: 11007 Could not locate Network Device or AAA Client”

I have to add the SW1 to the Network Device list and then check the result once again.
 
SW1#
%SYS-5-CONFIG_I: Configured from console by console
mab-ev(Fa1/0/2): Received MAB context create from AuthMgr
mab-ev(Fa1/0/2): Created MAB client context 0x2D000010
    mab : initial state mab_initialize has enter
mab-ev(Fa1/0/2): Sending create new context event to EAP from MAB for 0x2D000010 (0000.0000.0000)
mab-sm(Fa1/0/2): Received event 'MAB_START' on handle 0x2D000010
    mab : during state mab_initialize, got event 4(mabStart)
@@@ mab : mab_initialize -> mab_acquiring
SW1#
%LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
SW1#
mab-ev: Received NEW MAC (8843.e1e3.b1f0) for 0x2D000010
%AUTHMGR-5-START: Starting 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000700875369
mab-sm(Fa1/0/2): Received event 'MAB_AVAILABLE' on handle 0x2D000010
    mab : during state mab_acquiring, got event 7(mabAvailable)
@@@ mab : mab_acquiring -> mab_authorizing
mab-ev(Fa1/0/2): Starting MAC-AUTH-BYPASS for 0x2D000010 (8843.e1e3.b1f0)
mab-ev(Fa1/0/2): MAB received an Access-Reject for 0x2D000010 (8843.e1e3.b1f0)
%MAB-5-FAIL: Authentication failed for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000700875369
mab-sm(Fa1/0/2): Received event 'MAB_RESULT' on handle 0x2D000010
    mab : during state mab_authorizing, got event 5(mabResult)
@@@ mab : mab_authorizing -> mab_terminate
mab-ev(Fa1/0/2): Deleted credentials profile for 0x2D000010 (dot1x_mac_auth_8843e1e3b1f0)
mab-ev(Fa1/0/2): Sending event (2) to AuthMGR for 8843.e1e3.b1f0
%AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000700875369
%AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000700875369
%AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000700875369
%AUTHMGR-5-FAIL: Authorization failed for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000700875369
mab-sm(Fa1/0/2): Received event 'MAB_DELETE' on handle 0x2D000010
mab-ev(Fa1/0/2): Received ABORT event from Auth Mgr for 0x2D000010 (8843.e1e3.b1f0)
mab-ev(Fa1/0/2): Deleted credentials profile for 0x2D000010 (dot1x_mac_auth_8843e1e3b1f0)
mab-ev: Freed MAB client context
SW1#

On ACS I see:

“Authentication failed: 22056 Subject not found in the applicable identity store(s)”

To fix the problem I have to add the mac address to the hosts database:

Users and Identity Stores->Internal Identity Stores->Hosts

One mandatory step here is letting know the Access Policy that the default identity was extended to hosts. We can change it by adding:

a) Users and Identity Stores->Identity Stores Sequences - create a new IS add hosts to available identity stores

b) Access Policies->Access Services->Default Network Access->Identity- and change Identity Source to the new one

Let’s test it once again:
 
SW1(config-if)#
mab-ev(Fa1/0/2): Received MAB context create from AuthMgr
mab-ev(Fa1/0/2): Created MAB client context 0xF5000018
    mab : initial state mab_initialize has enter
mab-ev(Fa1/0/2): Sending create new context event to EAP from MAB for 0xF5000018 (0000.0000.0000)
mab-sm(Fa1/0/2): Received event 'MAB_START' on handle 0xF5000018
    mab : during state mab_initialize, got event 4(mabStart)
@@@ mab : mab_initialize -> mab_acquiring
SW1(config-if)#
%LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
SW1(config-if)#
mab-ev: Received NEW MAC (8843.e1e3.b1f0) for 0xF5000018
%AUTHMGR-5-START: Starting 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 8801130900000009008EDC11
mab-sm(Fa1/0/2): Received event 'MAB_AVAILABLE' on handle 0xF5000018
    mab : during state mab_acquiring, got event 7(mabAvailable)
@@@ mab : mab_acquiring -> mab_authorizing
mab-ev(Fa1/0/2): Starting MAC-AUTH-BYPASS for 0xF5000018 (8843.e1e3.b1f0)
mab-ev(Fa1/0/2): MAB received an Access-Accept for 0xF5000018 (8843.e1e3.b1f0)
%MAB-5-SUCCESS: Authentication successful for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 8801130900000009008EDC11
mab-sm(Fa1/0/2): Received event 'MAB_RESULT' on handle 0xF5000018
    mab : during state mab_authorizing, got event 5(mabResult)
@@@ mab : mab_authorizing -> mab_terminate
mab-ev(Fa1/0/2): Deleted credentials profile for 0xF5000018 (dot1x_mac_auth_8843e1e3b1f0)
mab-ev(Fa1/0/2): Sending event (2) to AuthMGR for 8843.e1e3.b1f0
%AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 8801130900000009008EDC11
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 8801130900000009008EDC11

As we see the result now is ‘success’.
 
SW1#sh mab all
MAB details for FastEthernet1/0/2
-------------------------------------
Mac-Auth-Bypass           = Enabled
SW1#sh authentication sessions interface Fa1/0/2
            Interface:  FastEthernet1/0/2
          MAC Address:  8843.e1e3.b1f0
           IP Address:  Unknown
            User-Name:  88-43-E1-E3-B1-F0
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
           Vlan Group:  N/A
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  8801130900000009008EDC11
      Acct Session ID:  0x00000009
               Handle:  0xA1000009

Runnable methods list:
       Method   State
       mab      Authc Success

SW1#

The second option for mab is using EAP-MD5 authentication. The password (mac address) is encrypted but from security perspective it doesn’t improve anything.
 
interface FastEthernet1/0/2
 mab eap

You should remember that now the device has to be in ‘hosts’ database with username and password = mac address. Be careful with password because it is case sensitive !
 
SW1#clear authentication sessions
SW1#
mab-ev(Fa1/0/2): Received MAB context create from AuthMgr
mab-ev(Fa1/0/2): Created MAB client context 0xE7000025
    mab : initial state mab_initialize has enter
mab-ev(Fa1/0/2): Sending create new context event to EAP from MAB for 0xE7000025 (0000.0000.0000)
mab-sm(Fa1/0/2): Received event 'MAB_START' on handle 0xE7000025
    mab : during state mab_initialize, got event 4(mabStart)
@@@ mab : mab_initialize -> mab_acquiring
SW1#
mab-ev: Received NEW MAC (8843.e1e3.b1f0) for 0xE7000025
%AUTHMGR-5-START: Starting 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000E00AD9407
mab-sm(Fa1/0/2): Received event 'MAB_AVAILABLE' on handle 0xE7000025
    mab : during state mab_acquiring, got event 7(mabAvailable)
@@@ mab : mab_acquiring -> mab_authorizing
mab-ev(Fa1/0/2): Starting MAC-AUTH-BYPASS for 0xE7000025 (8843.e1e3.b1f0)
mab-ev(Fa1/0/2): MAB received an Access-Accept for 0xE7000025 (8843.e1e3.b1f0)
%MAB-5-SUCCESS: Authentication successful for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000E00AD9407
mab-sm(Fa1/0/2): Received event 'MAB_RESULT' on handle 0xE7000025
    mab : during state mab_authorizing, got event 5(mabResult)
@@@ mab : mab_authorizing -> mab_terminate
mab-ev(Fa1/0/2): Deleted credentials profile for 0xE7000025 (dot1x_mac_auth_8843e1e3b1f0)
mab-ev(Fa1/0/2): Sending event (2) to AuthMGR for 8843.e1e3.b1f0
%AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000E00AD9407
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000E00AD9407
SW1#
SW1#sh authentication sessions interface fa1/0/2
            Interface:  FastEthernet1/0/2
          MAC Address:  8843.e1e3.b1f0
           IP Address:  Unknown
            User-Name:  8843e1e3b1f0
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
           Vlan Group:  N/A
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  880113090000000E00AD9407
      Acct Session ID:  0x0000000E
               Handle:  0x5D00000E

Runnable methods list:
       Method   State
       mab      Authc Success

SW1#sh mab all
MAB details for FastEthernet1/0/2
-------------------------------------
Mac-Auth-Bypass           = Enabled (EAP)

SW1#

For ‘mab’ following radius attributes are used:

Authentication Method = Lookup; Service-Type = Call Check and for ‘mab eap’:

Authentication Method = CHAP/MD5; Service-Type = Framed
  • very good documentation about mab:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html

No comments:

Post a Comment