Skip to main content

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.
 
!
aaa new-model
aaa authentication dot1x default group radius
!    
!
int Fas1/0/2
authentication host-mode single-host 
authentication port-control auto 
mab
!

I haven’t configured ACS yet but let’s see what error message I receive:
 
SW1(config-if)#
mab-ev(Fa1/0/2): Received MAB context create from AuthMgr
mab-ev(Fa1/0/2): Created MAB client context 0x1100000F
    mab : initial state mab_initialize has enter
mab-ev(Fa1/0/2): Sending create new context event to EAP from MAB for 0x1100000F (0000.0000.0000)
mab-sm(Fa1/0/2): Received event 'MAB_START' on handle 0x1100000F
    mab : during state mab_initialize, got event 4(mabStart)
@@@ mab : mab_initialize -> mab_acquiring
SW1(config-if)#
%LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
SW1(config-if)#
mab-ev: Received NEW MAC (8843.e1e3.b1f0) for 0x1100000F
%AUTHMGR-5-START: Starting 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 88011309000000060085099E
SW1(config-if)#
mab-sm(Fa1/0/2): Received event 'MAB_AVAILABLE' on handle 0x1100000F
    mab : during state mab_acquiring, got event 7(mabAvailable)
@@@ mab : mab_acquiring -> mab_authorizing
mab-ev(Fa1/0/2): Starting MAC-AUTH-BYPASS for 0x1100000F (8843.e1e3.b1f0)
SW1(config-if)#
mab-ev(Fa1/0/2): MAB received an Access-Reject for 0x1100000F (8843.e1e3.b1f0)
%MAB-5-FAIL: Authentication failed for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 88011309000000060085099E
mab-sm(Fa1/0/2): Received event 'MAB_RESULT' on handle 0x1100000F
    mab : during state mab_authorizing, got event 5(mabResult)
@@@ mab : mab_authorizing -> mab_terminate
mab-ev(Fa1/0/2): Deleted credentials profile for 0x1100000F (dot1x_mac_auth_8843e1e3b1f0)
mab-ev(Fa1/0/2): Sending event (2) to AuthMGR for 8843.e1e3.b1f0
%AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 88011309000000060085099E
%AUTHMGR-5-FAIL: Authorization failed for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 88011309000000060085099E 
SW1(config-if)#

On ACS I see following error message:

“RADIUS Request dropped: 11007 Could not locate Network Device or AAA Client”

I have to add the SW1 to the Network Device list and then check the result once again.
 
SW1#
%SYS-5-CONFIG_I: Configured from console by console
mab-ev(Fa1/0/2): Received MAB context create from AuthMgr
mab-ev(Fa1/0/2): Created MAB client context 0x2D000010
    mab : initial state mab_initialize has enter
mab-ev(Fa1/0/2): Sending create new context event to EAP from MAB for 0x2D000010 (0000.0000.0000)
mab-sm(Fa1/0/2): Received event 'MAB_START' on handle 0x2D000010
    mab : during state mab_initialize, got event 4(mabStart)
@@@ mab : mab_initialize -> mab_acquiring
SW1#
%LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
SW1#
mab-ev: Received NEW MAC (8843.e1e3.b1f0) for 0x2D000010
%AUTHMGR-5-START: Starting 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000700875369
mab-sm(Fa1/0/2): Received event 'MAB_AVAILABLE' on handle 0x2D000010
    mab : during state mab_acquiring, got event 7(mabAvailable)
@@@ mab : mab_acquiring -> mab_authorizing
mab-ev(Fa1/0/2): Starting MAC-AUTH-BYPASS for 0x2D000010 (8843.e1e3.b1f0)
mab-ev(Fa1/0/2): MAB received an Access-Reject for 0x2D000010 (8843.e1e3.b1f0)
%MAB-5-FAIL: Authentication failed for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000700875369
mab-sm(Fa1/0/2): Received event 'MAB_RESULT' on handle 0x2D000010
    mab : during state mab_authorizing, got event 5(mabResult)
@@@ mab : mab_authorizing -> mab_terminate
mab-ev(Fa1/0/2): Deleted credentials profile for 0x2D000010 (dot1x_mac_auth_8843e1e3b1f0)
mab-ev(Fa1/0/2): Sending event (2) to AuthMGR for 8843.e1e3.b1f0
%AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000700875369
%AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000700875369
%AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000700875369
%AUTHMGR-5-FAIL: Authorization failed for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000700875369
mab-sm(Fa1/0/2): Received event 'MAB_DELETE' on handle 0x2D000010
mab-ev(Fa1/0/2): Received ABORT event from Auth Mgr for 0x2D000010 (8843.e1e3.b1f0)
mab-ev(Fa1/0/2): Deleted credentials profile for 0x2D000010 (dot1x_mac_auth_8843e1e3b1f0)
mab-ev: Freed MAB client context
SW1#

On ACS I see:

“Authentication failed: 22056 Subject not found in the applicable identity store(s)”

To fix the problem I have to add the mac address to the hosts database:

Users and Identity Stores->Internal Identity Stores->Hosts

One mandatory step here is letting know the Access Policy that the default identity was extended to hosts. We can change it by adding:

a) Users and Identity Stores->Identity Stores Sequences - create a new IS add hosts to available identity stores

b) Access Policies->Access Services->Default Network Access->Identity- and change Identity Source to the new one

Let’s test it once again:
 
SW1(config-if)#
mab-ev(Fa1/0/2): Received MAB context create from AuthMgr
mab-ev(Fa1/0/2): Created MAB client context 0xF5000018
    mab : initial state mab_initialize has enter
mab-ev(Fa1/0/2): Sending create new context event to EAP from MAB for 0xF5000018 (0000.0000.0000)
mab-sm(Fa1/0/2): Received event 'MAB_START' on handle 0xF5000018
    mab : during state mab_initialize, got event 4(mabStart)
@@@ mab : mab_initialize -> mab_acquiring
SW1(config-if)#
%LINK-3-UPDOWN: Interface FastEthernet1/0/2, changed state to up
SW1(config-if)#
mab-ev: Received NEW MAC (8843.e1e3.b1f0) for 0xF5000018
%AUTHMGR-5-START: Starting 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 8801130900000009008EDC11
mab-sm(Fa1/0/2): Received event 'MAB_AVAILABLE' on handle 0xF5000018
    mab : during state mab_acquiring, got event 7(mabAvailable)
@@@ mab : mab_acquiring -> mab_authorizing
mab-ev(Fa1/0/2): Starting MAC-AUTH-BYPASS for 0xF5000018 (8843.e1e3.b1f0)
mab-ev(Fa1/0/2): MAB received an Access-Accept for 0xF5000018 (8843.e1e3.b1f0)
%MAB-5-SUCCESS: Authentication successful for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 8801130900000009008EDC11
mab-sm(Fa1/0/2): Received event 'MAB_RESULT' on handle 0xF5000018
    mab : during state mab_authorizing, got event 5(mabResult)
@@@ mab : mab_authorizing -> mab_terminate
mab-ev(Fa1/0/2): Deleted credentials profile for 0xF5000018 (dot1x_mac_auth_8843e1e3b1f0)
mab-ev(Fa1/0/2): Sending event (2) to AuthMGR for 8843.e1e3.b1f0
%AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 8801130900000009008EDC11
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 8801130900000009008EDC11

As we see the result now is ‘success’.
 
SW1#sh mab all
MAB details for FastEthernet1/0/2
-------------------------------------
Mac-Auth-Bypass           = Enabled
SW1#sh authentication sessions interface Fa1/0/2
            Interface:  FastEthernet1/0/2
          MAC Address:  8843.e1e3.b1f0
           IP Address:  Unknown
            User-Name:  88-43-E1-E3-B1-F0
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
           Vlan Group:  N/A
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  8801130900000009008EDC11
      Acct Session ID:  0x00000009
               Handle:  0xA1000009

Runnable methods list:
       Method   State
       mab      Authc Success

SW1#

The second option for mab is using EAP-MD5 authentication. The password (mac address) is encrypted but from security perspective it doesn’t improve anything.
 
interface FastEthernet1/0/2
 mab eap

You should remember that now the device has to be in ‘hosts’ database with username and password = mac address. Be careful with password because it is case sensitive !
 
SW1#clear authentication sessions
SW1#
mab-ev(Fa1/0/2): Received MAB context create from AuthMgr
mab-ev(Fa1/0/2): Created MAB client context 0xE7000025
    mab : initial state mab_initialize has enter
mab-ev(Fa1/0/2): Sending create new context event to EAP from MAB for 0xE7000025 (0000.0000.0000)
mab-sm(Fa1/0/2): Received event 'MAB_START' on handle 0xE7000025
    mab : during state mab_initialize, got event 4(mabStart)
@@@ mab : mab_initialize -> mab_acquiring
SW1#
mab-ev: Received NEW MAC (8843.e1e3.b1f0) for 0xE7000025
%AUTHMGR-5-START: Starting 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000E00AD9407
mab-sm(Fa1/0/2): Received event 'MAB_AVAILABLE' on handle 0xE7000025
    mab : during state mab_acquiring, got event 7(mabAvailable)
@@@ mab : mab_acquiring -> mab_authorizing
mab-ev(Fa1/0/2): Starting MAC-AUTH-BYPASS for 0xE7000025 (8843.e1e3.b1f0)
mab-ev(Fa1/0/2): MAB received an Access-Accept for 0xE7000025 (8843.e1e3.b1f0)
%MAB-5-SUCCESS: Authentication successful for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000E00AD9407
mab-sm(Fa1/0/2): Received event 'MAB_RESULT' on handle 0xE7000025
    mab : during state mab_authorizing, got event 5(mabResult)
@@@ mab : mab_authorizing -> mab_terminate
mab-ev(Fa1/0/2): Deleted credentials profile for 0xE7000025 (dot1x_mac_auth_8843e1e3b1f0)
mab-ev(Fa1/0/2): Sending event (2) to AuthMGR for 8843.e1e3.b1f0
%AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000E00AD9407
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/2, changed state to up
%AUTHMGR-5-SUCCESS: Authorization succeeded for client (8843.e1e3.b1f0) on Interface Fa1/0/2 AuditSessionID 880113090000000E00AD9407
SW1#
SW1#sh authentication sessions interface fa1/0/2
            Interface:  FastEthernet1/0/2
          MAC Address:  8843.e1e3.b1f0
           IP Address:  Unknown
            User-Name:  8843e1e3b1f0
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  single-host
     Oper control dir:  both
        Authorized By:  Authentication Server
           Vlan Group:  N/A
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  880113090000000E00AD9407
      Acct Session ID:  0x0000000E
               Handle:  0x5D00000E

Runnable methods list:
       Method   State
       mab      Authc Success

SW1#sh mab all
MAB details for FastEthernet1/0/2
-------------------------------------
Mac-Auth-Bypass           = Enabled (EAP)

SW1#

For ‘mab’ following radius attributes are used:

Authentication Method = Lookup; Service-Type = Call Check and for ‘mab eap’:

Authentication Method = CHAP/MD5; Service-Type = Framed
  • very good documentation about mab:
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html
Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an ...
8 comments
Read more

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis...
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze ...
1 comment
Read more