{"id":2865,"date":"2026-01-15T21:38:00","date_gmt":"2026-01-15T21:38:00","guid":{"rendered":"https:\/\/www.balajibandi.com\/?p=2865"},"modified":"2026-02-05T18:51:44","modified_gmt":"2026-02-05T18:51:44","slug":"88-days-to-ccie-sec-v6-1-lab","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=2865","title":{"rendered":"88 Days to CCIE SEC v6.1 Lab"},"content":{"rendered":"\n

ISE \u00a0Decoding MAC Authentication Bypass (MAB)<\/mark><\/h2>\n\n\n\n

In the real world, your network is haunted by “dumb” devices\u2014printers, IP cameras, and building controllers\u2014that can\u2019t perform 802.1X. For these, we use\u00a0MAC Authentication Bypass (MAB)<\/strong>.<\/p>\n\n\n\n

What is MAB?<\/mark><\/h2>\n\n\n\n

MAB is a fallback mechanism that uses the device’s MAC address<\/strong> as both the username and the password. It is considered “weak” authentication because MAC addresses are easily spoofed, but it is essential for operational continuity.<\/p>\n\n\n\n

How MAB “Tricks” the Switch<\/p>\n\n\n\n

MAB doesn’t start immediately. By default, a Cisco switchport prefers 802.1X. Here is the step-by-step flow:<\/p>\n\n\n\n

    \n
  1. Initial EAPOL Exchange:<\/strong>\u00a0The switch sends\u00a0EAP-Request\/Identity<\/strong>\u00a0frames. The “dumb” device ignores them because it doesn’t speak EAP.<\/li>\n\n\n\n
  2. The Timeout:<\/strong>\u00a0The switch waits for a response (governed by the\u00a0dot1x timeout tx-period<\/code>\u00a0and\u00a0dot1x max-reauth-req<\/code>\u00a0timers).<\/li>\n\n\n\n
  3. The Switch to MAB:<\/strong>\u00a0Once the 802.1X attempts fail, the switch “bypasses” 802.1X and creates a\u00a0RADIUS Access-Request<\/strong>.\n
      \n
    • User-Name (Attribute 1):<\/strong>\u00a0The MAC address (e.g.,\u00a0001122334455<\/code>).<\/li>\n\n\n\n
    • User-Password (Attribute 2):<\/strong>\u00a0The MAC address.<\/li>\n\n\n\n
    • Service-Type (Attribute 6):<\/strong>\u00a0Set to\u00a010<\/code>\u00a0(Call Check), signaling to ISE that this is a MAB request.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
    • ISE Processing:<\/strong>\u00a0ISE looks up the MAC address in its\u00a0Internal Endpoints<\/strong>\u00a0database or an external identity store.<\/li>\n\n\n\n
    • Authorization:<\/strong>\u00a0If found, ISE returns an\u00a0Access-Accept<\/strong>\u00a0with the appropriate VLAN or dACL.<\/li>\n<\/ol>\n\n\n\n
      \n\n\n\n

      Use Case: The Printer Problem<\/mark><\/h2>\n\n\n\n

      Scenario:<\/strong> A hospital has 500 legacy printers that don’t support certificates. They need to be on a specific VLAN and restricted from accessing the Internet.<\/p>\n\n\n\n

        \n
      • The Solution:<\/strong>\u00a0Use\u00a0ISE Profiling<\/strong>\u00a0with MAB.<\/li>\n\n\n\n
      • The Logic:<\/strong>\u00a0Instead of just checking if the MAC exists, ISE uses\u00a0Device Profiling<\/strong>\u00a0(DHCP snooping or HTTP user-agents) to verify the device is actually a printer and not a laptop spoofing a printer’s MAC.<\/li>\n\n\n\n
      • The Result:<\/strong>\u00a0If the device “looks and acts” like a HP LaserJet, ISE pushes a\u00a0dACL<\/strong>\u00a0allowing it to talk only to the Print Server.<\/li>\n<\/ul>\n\n\n\n
        \n\n\n\n

        Performance Tuning<\/mark><\/h2>\n\n\n\n

        In a standard config, a MAB device might wait 30+ seconds<\/strong> to get network access while 802.1X times out. To fix this in production, we use Cisco Common Classification Policy Language (C3PL)<\/strong> to trigger MAB and 802.1X simultaneously or shorten timers:<\/p>\n\n\n\n

        ! Shorten the gap for MAB devices\ninterface GigabitEthernet1\/0\/1\n authentication order dot1x mab\n authentication priority dot1x mab\n mab\n dot1x timeout tx-period 7  # Reduce from default 30s\n<\/code><\/pre>\n\n\n\n
        The “Security vs. Usability” Trade-off<\/mark><\/h2>\n\n\n\n
        Feature<\/th>802.1X<\/th>MAB<\/th><\/tr>
        Identity Basis<\/strong><\/td>Certificates\/Credentials<\/td>Hardware MAC Address<\/td><\/tr>
        Security Level<\/strong><\/td>High (Encrypted)<\/td>Low (Spoofable)<\/td><\/tr>
        Management<\/strong><\/td>Supplicant Required<\/td>Agentless<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
        Critical Action for Administrators<\/mark><\/h2>\n\n\n\n
        Always combine MAB with ISE Profiling<\/strong>. This adds a layer of “behavioral” security\u2014if a “Printer” suddenly starts trying to SSH into a Core Switch, ISE can issue a Change of Authorization (CoA)<\/strong> to kill the port. Check out the Cisco ISE Profiling Design Guide for deep-dive logic.<\/p>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        Happy Labinggggggggggggggggggg!<\/strong><\/p>\n\n\n\n
        <\/p>\n","protected":false},"excerpt":{"rendered":"
        ISE \u00a0Decoding MAC Authentication Bypass (MAB) In the real world, your network is haunted by “dumb” devices\u2014printers, IP cameras, and building controllers\u2014that can\u2019t perform 802.1X. For these, we use\u00a0MAC Authentication Bypass (MAB). What is MAB? MAB is a fallback mechanism that uses the device’s MAC address as both the username and the password. It is considered “weak” […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2],"tags":[],"class_list":["post-2865","post","type-post","status-publish","format-standard","hentry","category-ccie-sec","category-cisco"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2865","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2865"}],"version-history":[{"count":1,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2865\/revisions"}],"predecessor-version":[{"id":2867,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/2865\/revisions\/2867"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2865"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2865"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2865"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}