Skip to main content

 

Cisco Meraki Documentation

Securing non 802.1X Supported IoT or Other Endpoints - MAC Authentication Bypass (MAB)

  1. Last updated
  2. Save as PDF

In this section, we will learn how to configure MAC Authentication Bypass (MAB) for endpoints that do not support dot1x to apply an identity based dynamic authorization to the endpoints connecting to your network.

Authentication Flow

Firstly, let’s try to understand the authentication flow for this specific use-case. As shown in the diagram below, our goal is to enable endpoints connected to the network (SSID or a Switchport) using the MAC Authentication Bypass (MAB).

Following is the sequence of steps in the authentication flow:

  • The endpoint initiates the connection with the SSID or Switchport. 
  • The Network Device will request the identity of the endpoint.
  • The endpoint will not respond with the identity information as it does not have 802.1x configured on it.
  • The 802.1x process will timeout.
  • Endpoint will send any packet which will have its MAC address in the source MAC address field. 
  • The Network Device will forward the identity information (MAC address in this case) to Cisco Meraki Cloud over a Cisco proprietary AES-256-bit encrypted tunnel.
  • Access Manager evaluates the session against the configured rules – a rule is matched if all the defined conditions (like Endpoint Group that has this MAC address added as condition) are matched and the corresponding configured authorization will be applied as a result. 
  • The resulting authorization (SGT, VLAN etc.) will be sent back to the Network Device for enforcement. 
  • The endpoint will be connected successfully. 

New - MAB.png

Configuration Steps

This section covers the configuration steps at a high-level to explain various components of the workflow. The configuration needed for this use-case can be broken down into following steps:

  • Add clients to the clients table on the Meraki Dashboard. 
  • Configure SSIDs and Switches to use Access Manager.
  • Configure authorizations to be used – SGTs, VLANs, Group Policies etc. 
  • Configure Access Manager rules for policy evaluation.

Add Clients To Meraki Dashboard

  • Navigate to Access Manager > Configure > Clients 


    NAV Clients.png

     
  • Click on Client Groups tab at the top. 
  • Click on Add groups > Enter a Group Name

group_details.png

  • You can add clients to this group from the same page by clicking on Add Clients > Add existing clients or Add a client or you can do the same on Clients tab as well.

add_clients.png

  • Enter the client details like DescriptionMAC address and Client Groups to be associated with and click save.

client_details.png

 

Configure Wireless And Wired Networks To Use Access Manager

Wireless - Configure SSID Access Control Settings

  • Assuming, you already have an MR added to your dashboard and licensed appropriately, navigate to Wireless > Configure > Access control.
  • Choose the SSID you want to use for this use-case and rename it if you need.

Access-Control.png

  • Navigate to Security section and choose MAC-based access control (no encryption) with Access Manager as shown below: 

MAC-Based-Access.png

 

  • Feel free to change any other SSID settings like Client IP and VLAN assignment etc. as needed and click save at the bottom.

Wired - Configure Access Policy and Switch-Port

  • For Wired connections, you will need to configure an Access Policy that uses Access Manager as the authentication method and attach that Access Policy to the switch-port where the endpoint/s will be connecting to. 

    Following are the steps at a high-level to configure access policy and switch-ports to use Access Manager as the authentication server: 

    For detailed instruction on how to configure Access Policies, refer to our documentation on Access Policy.

  • Assuming that you an MS already added to your dashboard and licensed appropriately, navigate to Switching > Configure > Access Policies.

  • Click on Add policy.

  • Choose Access Manager from Authentication method dropdown. 

  • Configure other settings like MAC Authentication Bypass as Policy Type etc. as desired for the use-case. 


    Policy-Type.png
     
  • Navigate to Switching > Switches and select the switch you would like to attach the configured access policy. 
  • Click on one of the ports where the endpoint/s will be connected to and where you would like to attach the configured access policy. 
  • Click Edit button next to Configuration and Status.
  • Select Access for Type.
  • Choose previously created Access Policy (Smart Thermostats in this example) from the Access Policy dropdown menu.
  • Click on Update.
  • Optionally, you can update multiple ports at a time by navigating to Switching > Switch Ports and selecting multiple ports

Switch-Ports.png

Configure Access Manager Rules

Now that we have everything in place, it is time to configure the Access Manager rules which will determine what authorization (SGTs, VLANs, Group Policies) will be applied to the endpoints when they authenticate.

The rule framework is very straightforward – define the matching criteria and define the corresponding authorization result to be assigned. Following are the steps needed for this configuration:

  • Following is an example rule that we will use to illustrate on how to configure rules:

Config-Rules.png

 

  • Navigate to Access Manager > Policies > Access Rules


    NAV Access rules.png
 

Note: For this Early Access Preview, we only support one rule group (default rule group) with the ability to add multiple rules under it.  

  • To add a rule, click on Add a rule. Name and enable the rule.
  • Under What’s matched section, choose Attribute source dropdown 
  • Then, you will be able to select attribute and enter values you want to match – as an example, we used, Endpoint Group = Smart thermostats.

smart_thermostat.png

  • Under Authorization section, click on Access permission dropdown to choose an option.
    • VLAN ID/name: Assigns a VLAN ID or VLAN name. For successful connection, make sure that the VLAN entered here is present in the network where the endpoint is authenticating. 
    • Voice domain: Enabling this will ensure that voice traffic is permitted. 
    • Adaptive policy: Assigns an Adaptive Policy Group (and corresponding SGT value). 

Refer to our Adaptive Policy documentation on how to implement zero-trust micro-segmentation policies through Adaptive Policy. 

  • Identity PSK: Applicable for MAC Authentication Bypass use-case only. Assigns a key to the session and if the key entered by the endpoint matches the key assigned, the rule will be matched and corresponding authorization (VLAN, Adaptive policy etc.) will be applied. 
  • Group policy: Assigns a group policy.

Refer to our Group policy documentation on how define and apply a list of rules, restrictions, and other settings to the endpoints that are connecting to your network. 

  • As an example, we selected Allow restricted access, assigned Smart thermostats Adaptive Policy Group (SGT) and VLAN 200 that we created earlier. Click save after the selections. 

Authorisation.png

  • Now, any endpoint matching the criteria defined in the rule (Endpoint Group = Smart thermostats) will be matched with the rule and corresponding authorization (VLAN = 200 and Adaptive Policy = Smart thermostats) will be applied.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.