In this blog series, we’ve been on a journey of sorts. We’ve shown you all the different ways to set up the CL 3.7.5 campus feature: Multi-Domain Authentication in this 6-part series and guess what? We’re getting into the home stretch!

In blogs 1-4 we had guides for Wired 802.1x using Aruba ClearPass, Wired MAC Authentication using Aruba ClearPass, Multi-Domain Authentication using Aruba ClearPass and Wired 802.1x using Cisco ISE. After this blog, we’ll just have one more covering. Multi-Domain Authentication using Cisco ISE. But we’re not here to talk about those now.

In this fifth guide, I’ll be sharing how to enable Wired MAC Authentication in Cumulus Linux 3.7.5+ using Cisco ISE (Identity Services Engine) 2.4, Patch 8.

Keep in mind that this step-by-step guide assumes that you have already performed an initial setup of Cisco ISE .

Cisco ISE Configuration:

1. Add a Cumulus Switch group to Cisco ISE:

First, we are going to add a Network Device Group to Cisco ISE:

Administration > Network Resources > Network Device Groups. Click the “+Add” button

Make sure to set the “Parent Group” to “All Device Types.” The result will look like the following:

2. Adding a Cumulus Switch to Cisco ISE

Administration > Network Resources > Network Device. Click the “+Add” button:

I. Fill in the management IP address of the Cumulus Switch
II. Keep the “Device Profile” set to “Cisco”
III. Set the “Device Type” to “Cumulus-Switches”, which is the Device Type group that was set in step #1.

Under the “RADIUS Authentication Settings”, add the “Shared Secret” that will be used on the switch:

Finally, click the “Save” button in the bottom left-hand corner:

This is the view you should now see in Cisco ISE:

3. Allowed Authentication Protocol

Policy > Policy Elements > Results > Authentication > Allowed Protocols

Select “Default Network Access” and click the “Duplicate” button:

Rename this to “Cumulus Wired MAC Auth.” The only item to select is “Process Host Lookup” under “Authentication Bypass.”

To save these changes, click the “Save” button in the bottom left-hand corner:

4. Add an Authorization Profile for VLAN 36

Policy > Policy Elements > Results > Authorization > Authorization Profiles. Click the “+Add” button

I. Set the Name to “Cumulus – VLAN36”
II. Make sure the “Access Type” is “ACCEPT_ACCEPT,” which should be the default setting
III. Make sure the “Network Device Profile” is set to “Cisco”

Under the “Common Tasks,” set the VLAN “ID/Name” to “36” and the “Tag ID” to “3:”

Click the “Save” button in the bottom left-hand corner:

5. Adding an Endpoint to Cisco ISE
Context Visibility > Endpoints > Authentication. Click the “+” button:

This will bring up the following dialog box:

Enter the following information:

I. Mac Address:
II. Static Assignment: Click on the box
III. Policy Assignment: <Set the appropriate group>
IV. Static Group Assignment: Click on the box
V. Identity Group Assignment: Set to “RegisteredDevices”

Click the “Save” button

This will result in the following output:

6. Creating a MAC Authentication Policy Set in Cisco ISE

Policy > Policy Sets. Click the “+” button

Set the “Policy Set Name” and “Description” to “Cumulus Wired MAC Auth”

Now, click the “Conditions” box to bring up the “Conditions Studio Library.” Here, we will drag over the “Wired_MAB” object and select the “Cumulus-Switches” group.

To select the “+” button on the editor choose the “DEVICE:Device Type”

There will be a dropdown menu after “Equals” and here you can select the “All Device Types#Cumulus-Switches” group that we created in step #1:

This will look like the following:

The overall “Conditions Studio” will now look like the following:

Click the “Use” button in the bottom right-hand corner.

Under the “Allowed Protocols / Server Sequence”, select “Cumulus Wired MAC Auth” from Step #3:

The Policy Set will now look like the following:

Click the “Save” button in the bottom right-hand corner

7. Applying the RADIUS VSA to the Policy Set

Policy > Policy Sets > “Cumulus Wired MAC Auth” > View > “Greater Than” symbol

Click on the “Greater Than” symbol under “View:”

Under “Authentication Policy,” change the “Use” column from “All_User_ID_Stores” to “Internal Endpoints”

Under “Authorization Policy,” change the “Default” from “DenyAccess” to

I. “Cumulus – VLAN36”, which was created in step #4
II. “PermitAccess”

Click the “Save” button in the bottom right-hand corner.

Cumulus Linux wired MAC Authentication setup:

1. Testing an interface

I am going to be using “swp12” to test wired MAC Authentication:

net add interface swp12
net commit

2. Enabling dot1x on swp12

Here are the following NCLU commands that I entered to configure wired MAC Authentication:

net add dot1x radius server-ip 10.10.102.100 vrf mgmt
net add dot1x radius client-source-ip 192.168.255.100
net add dot1x radius shared-secret cumulus11
net add dot1x send-eap-request-id
net add dot1x dynamic-vlan
net add bridge bridge ports swp12
net add interface swp12 dot1x mab
net commit

3. Modify the hostapd.conf file

The next step is to change the bottom two values in the /etc/hostapd.conf file from “=1” to “=0”

radius_das_require_event_timestamp=0
radius_das_require_message_authenticator=0

Restart the hostapd.service after making the above changes with the following command:

sudo systemctl restart hostapd.service

Verification and Troubleshooting

Plug in a wired VoIP phone into port swp12. Within 3CX, the SIP VoIP server in this test, the phone has come up and registered with the system:

On the Cumulus switch, the following commands will show the status of the swp12 interface:

net show dot1x interface swp12

Adding the “details” command will provide more information about the connected device:

net show dot1x interface swp12 details

Notice that the “Status Flags” report that this connection is using a “[DYNAMIC VLAN]” which is being sent from the Cisco ISE server. The “Server Flags” are also reporting “[MAB]”, which is the abbreviation for MAC Authentication Bypass.

Cisco ISE also provides monitoring capabilities of this MAC Authentication at the following location:

Operation > RADIUS > Live Logs

Clicking on the “Details” icon will bring up granular details about the connection:

In the “Overview” dialog box, one can see the following:

I. A successful authentication
II. The Authentication and Authorization policies that were selected in Steps #6 in the Cisco ISE configuration section.
III. Cumulus – VLAN36, from Step #7 in the Cisco ISE configuration section, being sent as a RADIUS VSA from Cisco ISE to the Cumulus Switch

For further 802.1x troubleshooting, the link in the 802.1x Interface docs page is an invaluable resource.

In the final blog in this series, I’ll cover Multi-Domain Authentication using Cisco ISE. In the meantime, take a look at some of the other tutorials we offer engineers where you can learn basic open networking commands and configurations, all the way up to advanced configurations. Our how-to videos are a great place to start.