Example for Configuring MAB Authentication
Networking Requirements
As shown in Figure 1, a large number of dumb terminals (Printers in this example) in a company that access the Internet through ge-1/1/1 of the PICA8 Switch (as the access device). To ensure network access security, the administrator employs MAB authentication on the Switch and AAA server, to control the network access rights of the Printers. The Switch allows the Printers to access resources on the Internet only when the MAB authentication is successfully passed.
Prerequisite
Ensure that PICA8 Switch is properly connected to the AAA server. In this example, the switch uses the management port Eth0 to connect to the AAA server.
Configuration on the AAA Server
- Configure the Eth0 IP address of the switch to establish a connection to the switch.
- Configure the credentials for each printer on the AAA server.
- Configure the shared key.
- Configure other RADIUS attributes for MAB authentication.
Configuration on the Switch
- Configure the AAA server IP and shared key on the Switch.
- Enable MAB authentication on the Switch, to perform MAB authentication on terminals that cannot install the 802.1X client software.
- Configure the host mode to multiple on interface ge-1/1/1.
Figure 1. Networking Diagram for Configuring MAB Authentication
Procedure
Step1 Configure the access port to trunk mode and enable MAB authentication mode.
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching port-mode trunk admin@XorPlus# set protocols dot1x interface ge-1/1/1 auth-mode mac-radius
Step2 Configure IP address of AAA server and the shared key.
admin@XorPlus# set protocols dot1x aaa radius authentication server-ip 10.10.51.4 shared-key pica8
Step3 Configure the NAS IP address to the IP address of Eth0 interface which is connected to the AAA server.
admin@XorPlus# set protocols dot1x aaa radius nas-ip 10.10.51.100
This command is used to set the nas-ip field in RADIUS access-request message. If you use the management interface eth0/eth1 to connect to the AAA server, the IP address of the management interface eth0/eth1 should be used for the NAS IP address configured here.
Step4 Configure the host mode for NAC authentication interface.
admin@XorPlus# set protocols dot1x interface ge-1/1/1 host-mode multiple
Step5 Commit the configuration.
admin@XorPlus# commit
Step6 Verify the configuration.
Run the run show dot1x interface to check the MAB authentication configurations. The command output (MAC-RADIUS = enable) shows that the MAB authentication has been enabled on the interface ge-1/1/1 and MAC address ae:11:01:39:1a:00 is successfully authenticated.
admin@Xorplus# run show dot1x interface Interface 802.1x MAC-RADIUS WEB HOST-MODE Session-Timeout CLIENT-MAC CLIENT-STATUS ------------------------------------------------------------------------------------------------------- ge-1/1/1 disable enable disable multiple(3) 0 ae:11:01:39:1a:00 authorized 33:12:a1:49:1b:0c authorized b3:55:c1:d7:2f:22 authorized
Copyright © 2024 Pica8 Inc. All Rights Reserved.