Continuing to build on earlier posts where we setup 802.1x to authenticate users and place them in predefined VLANs, then extended this to dynamically assign the VLAN, this post will look at what to do for devices that don’t speak 802.1x such as printers etc.
While there is a guest VLAN command for dot1x we could use I’d probably hesitate to apply that to infrastructure resources and leave it more to actual guests or staff who’ve decided to BYOD. Instead we can employ MAC Authentication Bypass (MAB) to pass the MAC address of a device across to the RADIUS server and then determine if that MAC address corresponds with a known approved device or not. This is enabled with the command ‘dot1x mac-auth-bypass’ on the required interface and there are a couple of options for the RADIUS side of things…
#1 – Symantec’s method where you create an Active Directory account with the username matching the un-hyphenated MAC address. You can then base the policy around this.
#2 – Create a Connection Request Policy that trumps the “Use Windows authentication for all users” policy and use the following settings:
- Calling Station ID – Hyphenated MAC address of the end device
- NAS IPv4 Address – The IP of the switch you expect to see this MAC address connecting to
- NAS Port Type – Ethernet
- Authentication – Accept users without validating credentials
- RADIUS Attributes – Standard attributes of:
- Tunnel-Pvt-Group-ID = VLAN #
- Tunnel-Type = VLAN
- Tunnel-Medium-Type = 802
If the device you’re using MAB for gets an IP from DHCP, you may want to tweak the SuppTimeout variable lower on the switch so the client doesn’t timeout the DHCP request.