802.1x: MAB / VLAN-Assignment / MAC-Based

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

802.1x: MAB / VLAN-Assignment / MAC-Based

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
802.1x: MAB / VLAN-Assignment / MAC-Based
802.1x: MAB / VLAN-Assignment / MAC-Based
2019-10-10 06:12:44
Hardware Version: V2
Firmware Version: 2.0.3 Build 20190509 Rel.36379(s)

I want to use IEEE 802.1x (and RADIUS) with these components:

  • dot1x vlan-assignment
  • dot1x mab
  • dot1x port-method mac-based

This doesn't seems to work, meanwhile this combination is not explicitly forbidden by any document.

 

The only thing a found was under 'dot1x vlan-assignment':

add the authenticated port to the VLAN and change the PVID based on the assigned VLAN

 

Any hints?

  0      
  0      
#1
Options
8 Reply
Re:802.1x: MAB / VLAN-Assignment / MAC-Based
2019-10-11 02:40:00
VLAN Assignment is port-based so you cannot use MAC-based for port-method. Just found a CG for tplink 802.1x. https://www.tp-link.com/us/configuration-guides/configuration_guide_for_802_1x_vlan_assignment_and_mab/?configurationId=2968#_idTextAnchor000
  0  
  0  
#2
Options
Re:802.1x: MAB / VLAN-Assignment / MAC-Based
2019-10-11 05:29:17

@Andone ,what a pity!

I hopped this could work because of the 'mac-vlan' commands which do just the same with a local database instead the use of RADIUS.

 

So technically it should be possible in my constellation, too!?

  0  
  0  
#3
Options
Re:802.1x: MAB / VLAN-Assignment / MAC-Based
2019-10-12 08:58:27

@PeterS 

 

Not use VLAN assignment and use MAC-VLAN? Maybe it can work as you want.

  0  
  0  
#4
Options
Re:802.1x: MAB / VLAN-Assignment / MAC-Based
2019-10-14 12:15:58

@PeterS 

MAB works as Port-Based, yes. As MAB will not work with Guest vlan, it is also a bad solution. Use one more managed switches :)

I feel other vendors, like D-Link, have 'mac_based_access_control' feature both local and RADIUS, which will suit you.

 

  0  
  0  
#5
Options
Re:802.1x: MAB / VLAN-Assignment / MAC-Based
2019-10-14 12:44:39

@Andone, surely, it would.

But we're talking about a professional environment with hundreds of MACs and changes every day, so a local database (as i.e. 'mac-vlan mac-address 00:11:11:01:01:12 vlan 2' is) would be impossible to handle. Also, I would guess, there is (implicit?) limit in configuration lines which would limit the entries in the database, also.
 

  0  
  0  
#6
Options
Re:802.1x: MAB / VLAN-Assignment / MAC-Based
2019-10-14 12:50:38
@PeterS  you have limit in rules, not in CLI lines. 360 IP ACLs only, 16 static routes only, smth like this. You can use 'show running-config all' command, so there will be full conf, which is pretty big. You need to ask about number of rules for IMPB manual bindings, which is, I believe, 64 max. You found a good way for you :)
  0  
  0  
#7
Options
Re:802.1x: MAB / VLAN-Assignment / MAC-Based
2019-10-14 12:50:47

@Mitya, thank you very much.

Do other vendors offer my required combination of features on edge switches completely?

 

BTW: Guest VLAN is implicitly possible, too. I made my RADIUS offer this special VLAN id in case of unknown clients. ;-)

  0  
  0  
#8
Options
Re:802.1x: MAB / VLAN-Assignment / MAC-Based
2019-10-14 12:56:17

@PeterS I know, that D-Link's mac-based-access-control is the same, as theoretically "MAB for MAC-Based", not MAC for Port-Based only. I had a client, which wanted to change dlink with tplink, but tplink didn't support it. Probably, other vendors also have MAB for MAC-Based, need to check deeper.

  0  
  0  
#9
Options