[Day 22] Cisco ISE Mastery Training: MAB (MAC Authentication Bypass) Configuration

[Day 22] Cisco ISE Mastery Training: MAB (MAC Authentication Bypass) Configuration


Introduction

MAC Authentication Bypass (MAB) lets network devices authenticate endpoints by their MAC address when 802.1X fails or isn’t possible (non-802.1X devices such as printers, IP phones, cameras, unmanaged endpoints). In Cisco ISE deployments, MAB is commonly used as a fallback to 802.1X or as the primary method for legacy devices. Proper MAB configuration in tandem with ISE policies gives you predictable VLAN assignment, role-based access, and a way to quarantine unknown devices — but it needs careful policy design and validation to avoid security gaps (MAC spoofing, misclassification).


Problem statement (what this solves)

Real networks contain many devices that cannot do 802.1X (printers, badge readers, cameras). Without a secure fallback you either:

  • Blanket allow these devices on production VLANs (bad), or
  • Block them completely (operational issues).

MAB + ISE lets you: detect device MACs, check ISE endpoint database or profiling information, and then map each device to a targeted authorization result (VLAN, dACL, redirect to remediation, or guest). This gives operational access while retaining centralized policy control and logging.


Solution overview (how ISE solves it)

  • Network Device (switch/WLC) sends RADIUS Access-Request with username set to MAC.
  • ISE authenticates the MAC against an Endpoint identity store (Internal Endpoints or external DB) or uses profiling to decide.
  • ISE returns an Authorization Profile (Access-Accept) containing attributes (VLAN, ACL, dACL, downloadable ACL, CoA target) which the NAD applies.
  • Live logs + session views let you validate every step.

Sample lab topology

Text topology (keep it simple for VMware/EVE-NG):

  • ISE VM (ISE1) — running on VMware or EVE-NG VM (2 vCPU/8–16GB for lab)
  • Switch (Catalyst 9k/3850/3650) — L2 switch acting as NAD (RADIUS client)
  • WLC (optional) — for wireless MAB tests (optional)
  • DHCP Server — for endpoints to get IPs (could be a Windows/Linux VM)
  • Endpoint(s) — PC (802.1X capable), IP camera / printer (non-802.1X)
  • Admin PC — used to access ISE GUI and Switch console

Topology Layout:

Notes:

  • Lab environment: ISE VM on VMware Workstation/ESXi or EVE-NG. Switch can be virtual (CML/IOSvL2) or physical.
  • If testing wireless MAB, add WLC between APs and ISE (WLC as RADIUS client).

Step-by-Step GUI Configuration Guide (ISE)

Important prechecks: ISE has correct time (NTP), server certificate trusted by NAD (or use shared secret in lab), and licensing allows MAB (MAB uses Network Access licensing). Also make sure ISE node is reachable from NAD and firewall permits UDP 1812/1813.


A — Add Network Device (Switch / WLC) in ISE

  1. Login to ISE GUI → Administration > Network Resources > Network Devices.
    [Screenshot: ISE Network Device List]
  1. Click Add. Fill fields:
    • Name: LAB-SW1
    • IP Address: 10.10.10.11 (NAD IP)
    • Shared Secret: MabSecret123 (this must match on switch)
    • Device Type / Location: (optional)
    • SNMP settings: (optional for profiling)
      [Screenshot: ISE Add Network Device]
  1. Save.

B — Add known endpoints (optional but recommended)

  1. ISE: Administration > Identity Management > Identities > Endpoints > Add.
    [Screenshot: ISE Add Endpoint]
  1. Add endpoint by MAC (format 00:11:22:33:44:55). Assign Endpoint Identity Group (e.g., Printers, Cameras, Unknown).
  2. Save.

Why: Known endpoints (pre-populated MACs) allow ISE to immediately match and authorize appropriately. For unknown MACs you can map to a guest/quarantine policy.


C — Create Authorization Profiles (ISE)

  1. Policy > Policy Elements > Results > Authorization > Authorization Profiles > Add.
    [Screenshot: Add Authorization Profile]
  1. Create profiles you need:
    • MAB-Allow-VLAN100
      • Common Tasks → Access Type: Permit
      • Common Tasks → Use VLAN: enable → VLAN ID: 100
      • (Optional) dACL / Filter-ID to limit traffic.
    • MAB-Guest-Quarantine
      • Redirect to captive portal or assign quarantine VLAN.
  2. Save.

D — Create Policy Set (Authentication & Authorization)

  1. Policy > Policy Sets. Either update the Default policy set or create a new policy set for lab (recommended).
    [Screenshot: Policy Sets]
  1. Add Condition to match NAD(s): e.g., If NAD IP equals 10.10.10.11 or If NAD identity is LAB-SW1. This lets you control policies per device/location.
  2. Under the selected Policy Set:
    • Authentication Policy:
      • Add rule: If Protocol = MAB (or if Identity Source is MAC Address) → Then use Internal Endpoints as the Identity Source (so ISE matches MAC entries).
        [Screenshot: Policy Set > Authentication Policy: Add MAB rule]
  1. Fallback: If not found in Internal Endpoints → use Guest or Profiling method.
  2. Authorization Policy:
    • Add rule: If Endpoint:IdentityGroup == PrintersThen Authorization Profile = MAB-Allow-VLAN100.
    • Add rule: If Endpoint:IdentityGroup == UnknownMAB-Guest-Quarantine.
      [Screenshot: Policy Set > Authorization Policy: Add rules]
  3. Save and test.

Tip: Keep authZ rules order tight — put explicit known device rules above generic rules.


E — Switch configuration (Catalyst IOS example)

Global configuration

enable
configure terminal
! Radius server (old IOS style)
radius-server host 10.10.10.20 auth-port 1812 acct-port 1813 key MabSecret123

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius

! Enable dot1x globally (works with MAB fallback)
dot1x system-auth-control
end

Interface configuration (access port — example Gi1/0/1)

configure terminal
interface GigabitEthernet1/0/1
 description LAB - PC / Printer
 switchport mode access
 switchport access vlan 10
 spanning-tree portfast
 authentication host-mode single-host
 authentication port-control auto
 authentication order dot1x mab
 ! Alternatively, on some IOS versions:
 ! authentication priority dot1x mab
 mab
 dot1x pae authenticator
 exit
end
write memory

Notes about authentication order vs authentication priority:

  • authentication order dot1x mab or authentication priority dot1x mab depends on IOS version. If one cmd errors, try the other. mab alone enables MAC auth fallback.

F — Wireless (WLC) MAB outline (optional)

  1. On WLC: Security > RADIUS > Authentication Servers → add ISE (10.10.10.20) with same shared secret.
  2. On WLAN → Security → Layer 2 → set to Open or Layer 2/MAC Auth depending on controller. Configure MAC authentication/filtering to point to RADIUS server.
  3. In ISE, add WLC as Network Device (same as switch) and use Policy Sets to treat wireless MAB requests (you can match Called-Station or SSID).

(WLC GUIs differ by version — adapt accordingly.)


G — Validation (GUI + CLI) — do this step by step

1) ISE Live Logs validation (GUI)

  1. In ISE GUI: Operations > RADIUS > Live Logs (or Operations > SLA depending on version).
    [Screenshot: ISE Live Logs]
  1. Filter for your NAD or the endpoint MAC. You should see:
    • Access-Request from NAD containing Username = 001122334455 (MAC)
    • ISE decision: Authentication: MAB → Identity Source = Internal Endpoints (or Profiler)
    • ISE Authorization response: Access-Accept with attributes (e.g., Tunnel-Private-Group-ID: 100 or Filter-ID).

What to look for: If ISE returns Access-Reject, the RADIUS shared secret or NAD match may be wrong. If ISE authenticates but no VLAN change occurs, check Authorization Profile attributes.

2) Switch CLI validation

Run:

show authentication sessions interface GigabitEthernet1/0/1 details

Expected snippet (example):

Interface: Gi1/0/1
MAC Address: 00:11:22:33:44:55
Method: mab
Auth State: AUTHORIZED
Authorized VLAN: 100
Authentication Server: ISE1 (10.10.10.20)

If the device is 802.1X then method may show dot1x. If MAB used, method should show mab.

Useful debug commands:

debug radius authentication
debug dot1x all
debug aaa authentication
show radius statistics
show running-config | section radius

Interpretation: Debugs show RADIUS Access-Request/Response and any errors (timeout, shared secret mismatch, attribute missing).

3) DHCP / IP test

  • Confirm the endpoint gets IP on assigned VLAN (if ISE assigned VLAN).
  • From switch, show mac address-table interface gi1/0/1 to see learned MAC.

4) ISE endpoint database verification

  • In ISE: Administration > Identity Management > Identities > Endpoints → search the MAC → verify endpoint group and attributes.

FAQs

1. What is an Identity Source Sequence in Cisco ISE?

An Identity Source Sequence is a logical list of identity stores (like AD, LDAP, Internal DB, or certificate-based repositories) that Cisco ISE checks in a specific order during authentication. It allows fallback to alternative sources if the primary source is unreachable or doesn’t have the user/device.


2. Why should I use an ISS instead of pointing directly to one identity source?

If you directly point to AD and AD goes down, authentication will fail entirely. An ISS ensures that if AD is unavailable, ISE will automatically try the next source, such as Internal Users or Internal Endpoints, reducing downtime.


3. Can I mix internal and external sources in the same ISS?

Yes. For example:

  • Primary: Active Directory
  • Secondary: Internal Users (for guest accounts)
  • Tertiary: Internal Endpoints (for MAB)

This is the most common deployment strategy.


4. What happens if a user exists in multiple sources in the ISS?

ISE stops checking as soon as it finds a matching identity, provided the “Stop if found” option is enabled. If not enabled, it will check all sources and use the first match in priority order.


5. Does the order of sources affect authentication speed?

Yes. If the first source is slow to respond or unreachable, authentication delays occur until ISE times out before moving to the next source. Best practice: put the most frequently used and fastest sources first.


6. Can ISS be used for both wired and wireless 802.1X authentication?

Absolutely. ISS is independent of the access type. You can apply it to any authentication policy in ISE, including wired, wireless, and VPN authentications.


7. How do I troubleshoot when ISS is not working as expected?

  • Check RADIUS Live Logs in ISE for the “Identity Source” column.
  • Enable debug radius authentication on the switch/WLC.
  • Verify that the external source (like AD) is reachable via System → Logging → Test Connectivity.

8. Can ISS be used for MAC Authentication Bypass (MAB)?

Yes. For MAB, you can use ISS where the primary source is the Internal Endpoints database, with fallback to other sources if the MAC address is not found.


9. What’s the difference between an ISS and multiple separate authentication rules?

Multiple authentication rules can reference different sources, but that approach is less flexible and requires more policy maintenance. ISS lets you have one policy rule that can query multiple sources in a controlled order.


10. What is the best practice order for ISS in enterprise deployments?

  • First: AD (for corporate users)
  • Second: Internal Users (for guest/fallback accounts)
  • Third: Internal Endpoints (for IoT/MAB devices)
  • Avoid placing rarely-used or slow sources first to minimize delays.

YouTube Link

For more in-depth Cisco ISE Mastery Training, subscribe to my YouTube channel Network Journey and join my instructor-led classes for hands-on, real-world ISE experience

[NEW COURSE ALERT] CISCO ISE (Identity Service Engine) by Sagar Dhawan
CCIE Security v6.1 Training – Ticket#1 Discussed
CCIE Security v6.1 – MAC Authentication Bypass (MAB) in Cisco ISE
CCNP to CCIE SECURITY v6.1 – New Online Batch

Closing notes / Key takeaways

  • MAB is a practical fallback and must be used carefully with policies to avoid security gaps.
  • Always validate both sides: ISE Live Logs and NAD CLI (show authentication sessions).
  • Use endpoint groups in ISE to create precise authorization outcomes (VLANs, dACLs).
  • Combine MAB with profiling, port security, and logging to mitigate MAC spoofing risks.

Upgrade Your Skills – Start Today

If you want to master Cisco ISE (complete, hands-on workflows — GUI + CLI + troubleshooting), join 4-month instructor-led CCIE Security / ISE training — live classes, 100+ hours of lab training, real-world lab scenarios and recorded resources. The full course outline, hands-on lab details and registration are on Network Journey’s CCIE Security course page. (Network Journey)

  • Want end-to-end, lab-based Cisco ISE mastery (GUI + CLI + real troubleshooting)? Join 4-month instructor-led CCIE Security program — live sessions, 100+ hours of labs, workbook, and 1:1 doubt support.
  • Apply / Book a free counselling call: tell us your name, role, years of experience, preferred batch (weekday/weekend) and best contact number — send to info@networkjourney.com or WhatsApp +91 97395 21088 and the team will schedule your call. (Network Journey)

Enroll Now & Future‑Proof Your Career
Emailinfo@networkjourney.com
WhatsApp / Call: +91 97395 21088