Skip to main content

 

Cisco Meraki Documentation

MAC Authentication Bypass (MAB) and iPSK for IOT Endpoints

  1. Last updated
  2. Save as PDF

In this section, we will learn how to configure MAC Authentication Bypass (MAB) for endpoints that do not support 802.1X to apply an identity based dynamic authorization to the endpoints connecting to your network.

Endpoints and Groups

1. Navigate to Access Manager > Configure > Clients  
2. Select Client Groups tab at the top.   

3. Select Add Groups and enter

  • Group Name
  • Description (optional)
 group_details.png
4. Optionally add clients to this group by selecting Add Clients and choose:
    - Add existing clients
    - Add a client		 add_clients.png
5. Enter the client details like DescriptionMAC address and Client Groups to be associated with and select Save. client_details.png
6. Repeat this process for as many groups as you need.
If you have many groups or some with many endpoints, you may want to consider creating your groups and their member endpoints via CSV import or APIs.
  

 

MAC Authentication Bypass (MAB) 

Firstly, let’s try to understand the authentication flow for this specific use case. As shown in the diagram below, our goal is to enable endpoints connected to the network (SSID or a switch port) using the MAC Authentication Bypass (MAB).

MAC_Auth_Bypass_(MAB)_for_IOT.png

The following is the sequence of steps in the authentication flow:

  1. The endpoint initiates the connection with the SSID or switch port. 
  2. The network device will request the identity of the endpoint.
  3. The endpoint will not respond with the identity information as it does not have 802.1X configured on it.
  4. The 802.1X process will timeout.
  5. The endpoint will send a packet which will contain its MAC address in the source MAC address field. 
  6. The network device will forward the identity information (MAC address in this case) to Cisco Meraki Cloud over a Cisco proprietary AES-256-bit encrypted tunnel.
  7. Access Manager evaluates the session against the configured rules – a rule is matched if all the defined conditions (like endpoint group that has this MAC address added as condition) are matched and the corresponding configured authorization will be applied as a result. 
  8. The resulting authorization (SGT, VLAN and so forth) will be sent back to the network device for enforcement. 
  9. The endpoint will be connected successfully. 

 

Configure Wireless SSID Security Settings for Access Manager

1. Assuming, you already have an MR added to your dashboard and licensed appropriately, navigate to Wireless > Configure > Access control.

2. Choose the SSID you want to use for this use case and rename it if you need.

 Access-Control.png

3. Navigate to Security section and choose MAC-based access control (no encryption) with Access Manager as shown below: 

 MAC-Based-Access.png

4. Feel free to change any other SSID settings like Client IP, VLAN assignment and others as needed and click save at the bottom.

  

 

Configure Wired Access Policies and Switch Ports

For Wired connections, you will need to configure an Access Policy that uses Access Manager as the authentication method and attach that Access Policy to the switch port where the endpoint/s will be connecting to. 

The following are the steps at a high level to configure access policy and switch ports to use Access Manager as the authentication server: 

For detailed instruction on how to configure Access Policies, refer to our documentation onAccess Policy.

Assuming that you have an MS already added to your dashboard and licensed appropriately, navigate to Switching > Configure > Access Policies.

  1. Click on Add policy.
  2. Choose Access Manager from Authentication method dropdown. 
  3. Configure other settings like MAC authentication bypass as Policy Type as desired for the use case. 
 Policy-Type.png

5. Navigate to Switching > Monitor > Switches and select the switch you would like to attach the configured access policy. 

  1. Select one of the ports where the endpoint/s will be connected to and where you would like to attach the configured access policy. 
  2. Click Edit button next to configuration and status.
  3. Select Access for Type.
  4. Choose previously created Access Policy (Smart Thermostats in this example) from the Access Policy dropdown menu.
  5. Click on Update.
Optionally, you can update multiple ports at a time by navigating to Switching > Monitor > Switch Ports and selecting multiple ports.
 Switch-Ports.png

 

Configure Access Manager MAB Rules

Now that we have everything in place, it is time to configure the Access Manager rules which will determine what authorization (SGTs, VLANs, Group Policies) will be applied to the endpoints when they authenticate.

The rule framework is very straightforward – define the matching criteria and define the corresponding authorization result to be assigned. The following are the steps needed for this configuration:

Access rules are evaluated sequentially from top to bottom. A session will match a rule ONLY IF ALL the conditions specified in the "What's Matched" section are satisfied. This means the conditions are linked by an "AND" operator, requiring each condition to be met for a successful match. If a rule is not matched, the evaluation process continues to the next rule in the list until the default rule is reached.

 

This is an example rule that we will use to illustrate how to configure rules:

 Config-Rules.png
Navigate to Access Manager > Policies > Access Rules  

Select Add a rule

  1. Give it a Name
  2. Enable the rule
  3. Under What’s matched section, choose Attribute source dropdown.
  4. Select attributes and enter values to match.
    The example shows Endpoint Group = Smart thermostats.
 smart_thermostat.png

Under Authorization section, click on the Access permission dropdown to choose an option:

  • VLAN ID/name: Assigns a VLAN ID or VLAN name. For successful connection, make sure that the VLAN entered here is present in the network where the endpoint is authenticating. 
  • Voice domain: Enabling this will ensure that voice traffic is permitted. 
  • Adaptive policy: Assigns an Adaptive Policy Group (and corresponding SGT value). 
Refer to our Adaptive Policy documentation on how to implement zero-trust micro-segmentation policies through Adaptive Policy.
  • Identity PSK: Applicable for MAC Authentication Bypass use case only. Assigns a key to the session and if the key entered by the endpoint matches the key assigned, the rule will be matched and corresponding authorization (VLAN, Adaptive policy and so forthx) will be applied. 
  • Group policy: Assigns a group policy.
Refer to our Group policy documentation on how define and apply a list of rules, restrictions, and other settings to the endpoints that are connecting to your network.
  • As an example, we selected Allow restricted access, assigned Smart thermostats Adaptive Policy Group (SGT) and VLAN 200 that we created earlier.
 Authorisation.png
Select Save after the selections.   

Now, any endpoint matching the criteria defined in the rule (endpoint group) will be matched with the rule and corresponding authorization (VLAN = 200 and Adaptive Policy = Smart thermostats) will be applied.

 

iPSK (Identity Pre-Shared Key)

Wireless I/OT endpoints often do not have sophisticated interfaces enterprise authentication with 802.1X or certificate management. Many do support basic wireless pre-shared keys (PSKs) but it is not a good security practice to use the same PSK for all endpoints in your network in case it is leaked. It is much better to use a unique, identity pre-shared key (iPSK) tied to an endpoint (client) group or even endpoint MAC address.

Identity_Pre-Shared_Key_(iPSK)_ for_Wireless_IOT.png

In the example above:

  1. The handheld scanner attempts to associate to the wireless access point (AP) with it's configured pre-shared key (PSK)
  2. The AP performs a new RADIUS MAB request to Cisco Access Manager
  3. Access Manager verifies the MAC belongs to the Client Group named Scanners
  4. Access Manager checks the Access Rules and matches the Scanners rule for all members of the Scanners client group
  5. Access Manager returns an authorization to the AP with a security group tag (SGT) and the iPSK assigned for the Scanners client group
  6. The AP compares the scanner's iPSK with the assigned PSK from Access Manager and since they match, it is authorized
  7. The scanner gets a DHCP IP address and all it's traffic is tagged with a Scanner SGT
Access Manager assigns all iPSK values in the Access Rule authorization - they cannot be managed per endpoint/client or group.

 

Configure Identity PSK with RADIUS for Wireless Access Control Security

Configure Identity PSK with RADIUS as the wireless SSID authentication method with Access Manager in the Cisco Meraki Dashboard.

In the Cisco Meraki Dashboard, navigate to Wireless > Configure > Access Control  
Choose the SSID you want to authenticate using iPSK from the dropdown  
Give it a Name and Enable it if you haven't already AM-Wireless_SSID-Basic_Info.png
Under Security, choose Identity PSK with RADIUS and select Access Manager from the dropdown AM-Wireless_SSID-iPSK_with_RADIUS.png
For the Splash page options, choose None if this SSID will be used for IOT devices since they cannot perform any of the other Splash interactions  
Save your changes  

 

Configure Access Manager iPSK Rules

Add your Endpoints and Groups that will use iPSK if you haven't already   
Navigate to Access Manager > Configure > Access Rules  

Select + Add a rule

  1. Give it a Name
  2. Enable the rule
  3. Choose the Attribute source from the dropdown
    Typically this would be Endpoints
  4. Select the attribute + operator + value you want to match.
    Typically, this would be Client Group + Match All + group_name
    You could also match a specific MAC address or MAC prefix (OUI) but this does not scale well.
  5. In the Authorization Access permission, select Allow restricted access and assign the Identity PSK value.
    You may optionally assign additional permissions based on your endpoints, network design, and device capabilities.
  6. Select Save
 iPSK_Rule.pngiPSK_OUI_Rule.png