WeOSDynamic VLAN Assignment with MAC Authentication Bypass (MAB) HowTo
Introduction
This document describes how dynamic VLAN assignment can be configured for MAC authentication bypass (MAB). For an overview of all available configuration settings for Port Access Control, refer to the configuration section in the Port Access Control Guide.
Overview
This is a simplified example designed to provide a clear, basic demonstration of what needs to be configured on the WeOS device to get VLAN assignment working with port access control using MAC authentication bypass (MAB). The focus is on understanding the core configuration concepts rather than necessarily providing a complete, production-ready deployment. Real-world implementations may require additional security considerations, redundancy, and more complex network topologies.
For this use case example the following topology, or similar, is considered:
Authentication
Server
.------. 00:11:22:33:44:55 -> VLAN 10
|RADIUS| 00:aa:bb:cc:dd:ee -> VLAN 20
'--+---'
| 10.0.1.2
| VLAN 1
| | |
.--.-. | .--.-.
( ( )__ | ( ( )__
(_, \ ) ,_) | (_, \ ) ,_)
'-'--`--' | '-'--`--'
| | |
| | |
| | VLAN 1 |
| | 10.0.1.1 |
| 10.0.10.0/24 .------------+-------------. 10.0.20.0/24 |
| VLAN 10 | 4 | VLAN 20 |
'--------------+ 5 WeOS 3 +--------------'
| 1 2 |
'----+----------------+----'
X Start in X <== Controlled Ports
| VLAN 1 | (All Blocked by
| | Authenticator)
.--+-. .-+--.
00:11:22:33:44:55 | H1 | | H2 | 00:aa:bb:cc:dd:ee
'----' '----'
Figure 1: A basic setup of port access control using MAB with dynamic VLAN assignment. The ports eth1 and eth2 are controlled by port access on the authenticator device WeOS. The RADIUS server is configured to handle MAB and provide a specific VLAN assignment for each MAC address of the connecting hosts H1 and H2.
Port names
The port numbers as presented in Figure 1 will be referred to as eth1-eth5 in the configuration examples below, i.e. 1 -> eth1, 2 -> eth2, etc.
With this example setup the goal is to have the ports be assigned dynamically to different VLANs based on the MAC address of frames originating from the connected hosts. For example, when the WeOS device observes a frame from host H1 with MAC address 00:11:22:33:44:55 on port eth1, it will trigger a MAB authentication request, and upon successful authentication, the port should be assigned to VLAN 10. Similarly, when a frame from host H2 with MAC address 00:aa:bb:cc:dd:ee is seen on port eth2, the port should be assigned to VLAN 20 after successful authentication.
In this case it is assumed that whatever RADIUS server that is used to process the authentication requests from the WeOS device is configured for MAC authentication bypass (MAB) and to return the correct VLAN assignment information for each MAC address. The RADIUS server must therefore be configured to supply the following, in addition to everything else that is required for the authentication to succeed:
Tunnel-Type = VLAN,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = [numeric VLAN tag, e.g. 10 or 20]
It is this Tunnel information that is used by the WeOS device to determine which VLAN to assign the port to when a successful authentication occurs.
Only Assignable Untagged
As described in the VLAN Assignment section in the Port Access Control Guide, ports can only be assigned untagged to VLANs when doing dynamic VLAN assignment. Further, this also means that a port can only ever be assigned to one VLAN at a time when doing dynamic VLAN assignment. Additionally, this means that it is the first authenticated MAC address that determines which VLAN the port is assigned.
Configuration
The first thing to do is to configure the base VLAN vlan1 and its associated interface. As mentioned in the topology description, the ports that face the hosts (eth1 and eth2) start in VLAN 1, and this is where they will be moved back to when the hosts disconnect. In addition, the port on the WeOS device that faces the RADIUS server (eth4) is also in VLAN 1.
example:/#> config example:/config/#> vlan 1 example:/config/vlan-1/#> untagged eth1,eth2,eth4 example:/config/vlan-1/#> end example:/config/#> iface vlan1 example:/config/iface-vlan1/#> inet static 10.0.1.1/24 example:/config/iface-vlan1/inet-static-10.0.1.1/#> end example:/config/iface-vlan1/#> end example:/config/#>
The VLANs that are to be assigned dynamically must also be configured. Both so that there is a port providing access to each VLAN and because any VLAN to be assigned dynamically must exist on the device, these will not be created automatically when the RADIUS server returns the VLAN assignment information, for more information, see the section on assignable VLANs in the Port Access Control Guide.
example:/config/#> vlan 10 example:/config/vlan-10/#> untagged eth5 example:/config/vlan-10/#> end example:/config/#> vlan 20 example:/config/vlan-20/#> untagged eth3 example:/config/vlan-20/#> end example:/config/#> iface vlan10 example:/config/iface-vlan10/#> inet static 10.0.10.1/24 example:/config/iface-vlan10/inet-static-10.0.10.1/#> end example:/config/iface-vlan10/#> end example:/config/#> iface vlan20 example:/config/iface-vlan20/#> inet static 10.0.20.1/24 example:/config/iface-vlan20/inet-static-10.0.20.1/#> end example:/config/iface-vlan20/#> end example:/config/#>
Next, the RADIUS server definition to be used by the port access instance is configured. The RADIUS server is located at IP address 10.0.1.2 and uses the default RADIUS port (1812) in this example.
example:/config/#> aaa example:/config/aaa/#> remote-server 1 Creating new remote server 1 example:/config/aaa/remote-server-1/#> description MyRADIUS example:/config/aaa/remote-server-1/#> address 10.0.1.2 example:/config/aaa/remote-server-1/#> password TopS3cret example:/config/aaa/remote-server-1/#> end example:/config/aaa/#> end
Performance Consideration
For best performance, it is recommended to use IP address (rather than domain name) when defining the RADIUS server.
At this point the port access instance can be configured. The ports eth1 and eth2 are added as port access ports, and MAC authentication (MAB) is enabled for the instance.
example:/config/#> port-access Creating new Port Access instance 1. example:/config/port-access-1/#> port eth1,eth2 example:/config/port-access-1/#> description "VLAN Assignment Example" example:/config/port-access-1/#> port-method mac-based example:/config/port-access-1/#> mac-authentication example:/config/port-access-1/mac-auth/#> authentication-server 1 example:/config/port-access-1/mac-auth/#> end example:/config/port-access-1/#>
Port Method
In this example the port method is explicitly set to mac-based, which is also
the default setting. See Port Method
for more information about port methods.
Finally the VLAN assignment is also enabled for the port access instance. It is enabled and the VLANs to allow are selected.
example:/config/port-access-1/#> vlan-assignment example:/config/port-access-1/vlan-assignment/#> allowed-vlans vlan10 vlan20 example:/config/port-access-1/vlan-assignment/#> end example:/config/port-access-1/#>
The allowed vlans can also be specified by their VID
The allowed VLANs can also be specified by their numeric VLAN tag, e.g. 10,
20 using the allowed-vid command instead of allowed-vlans.
They manipulate the exact same setting, and can be used interchangeably:
example:/config/port-access-1/vlan-assignment/#> allowed-vid 10 20 example:/config/port-access-1/vlan-assignment/#> end example:/config/port-access-1/#>
At this point the port access configuration should look something like:
Port Access General Settings Status : Enabled Description : (No description) Ports : eth1..eth2 Port Method : MAC Based 802.1X Settings Not configured. MAC Authentication Settings Status : Enabled MAB Authentication server : 1 (MyRADIUS) Service Type : Call Check (10) Local List Accept list : Not set... VLAN Assignment Settings Status : Enabled Allowed VIDs : 10 (vlan10), 20 (vlan20) Default VLAN : Disabled
At this point the basic configuration is done, and the ports eth1 and eth2 should be able to authenticate and be assigned to the correct VLANs based on the MAC address of the connecting host and the information returned from the RADIUS server. Therefore, exit the configuration context to apply the configuration.
example:/config/port-access-1/#> leave [*] System setup running... [*] System Ready... Configuration activated. Remember "copy run start" to save to flash (NVRAM). example:/#>
Using Separate Port Access Instances to Isolate Ports to Certain VLANs
In the example above a single port access instance was used for both ports eth1 and eth2, and it would be possible for both ports to be assigned to either VLAN 10 or VLAN 20 based on the MAC address of the connecting host. If the goal is to isolate the ports so that eth1 can only be assigned to VLAN 10, and eth2 can only be assigned to VLAN 20, two separate port access instances can be used, one for each port, and the allowed VLANs can be configured separately for each instance.
In such a case the configuration of port access instance 1 for port eth1 would look something like this:
example:/config/#> port-access 1 Creating new Port Access instance 1. example:/config/port-access-1/#> port eth1 example:/config/port-access-1/#> description "Port 1 - VLAN 10 Only" example:/config/port-access-1/#> port-method mac-based example:/config/port-access-1/#> mac-authentication example:/config/port-access-1/mac-auth/#> authentication-server 1 example:/config/port-access-1/mac-auth/#> end example:/config/port-access-1/#> vlan-assignment example:/config/port-access-1/vlan-assignment/#> allowed-vlans vlan10 example:/config/port-access-1/vlan-assignment/#> end example:/config/port-access-1/#> end example:/config/#>
And the configuration of port access instance 2 for port eth2 would look something like this:
example:/config/#> port-access 2 Creating new Port Access instance 2. example:/config/port-access-2/#> port eth2 example:/config/port-access-2/#> description "Port 2 - VLAN 20 Only" example:/config/port-access-2/#> port-method mac-based example:/config/port-access-2/#> mac-authentication example:/config/port-access-2/mac-auth/#> authentication-server 1 example:/config/port-access-2/mac-auth/#> end example:/config/port-access-2/#> vlan-assignment example:/config/port-access-2/vlan-assignment/#> allowed-vlans vlan20 example:/config/port-access-2/vlan-assignment/#> end example:/config/port-access-2/#> end example:/config/#>
With these two separate port access instances, port eth1 can now only be assigned to VLAN 10, and port eth2 can only be assigned to VLAN 20, based on the MAC address and the information returned from the RADIUS server. In this example only the port config and VLAN assignment settings are different between the two instances, but all the other settings can also be configured differently if needed, e.g. different authentication servers, different authentication methods, etc.
Status
This section demonstrates how to verify the port access and VLAN assignment status at different stages. The following examples show the output before any authentication takes place, after initial authentication when hosts with specific MAC addresses connect, and after the ports are reassigned when the hosts disconnect and reconnect.
Before Authentication
Before any host has attempted to authenticate, the status of the port access instance should look something like this:
example:/#> show port-access Number of Port Access Instances: 1 Table Instance Dividers : Disabled ╒ 802.1X Authentications ════════════════════════════════════════════════════╕ │# MAC-ADDRESS SUPPLICANT PORT SERVER DATE-ADDED │ │No authenticated 802.1X clients found. │ └────────────────────────────────────────────────────────────────────────────┘ ╒ MAC Auth Authentications ══════════════════════════════════════════════════╕ │# MAC-ADDRESS PORT METHOD DATE-ADDED │ │No authenticated MAC addresses found. │ └────────────────────────────────────────────────────────────────────────────┘ ╒ Ports ═════════════════════════════════════════════════════════════════════╕ │PORT METHOD STATE AUTHENTICATED-MAC │ │eth1 MAC Based 0 Authentications - │ │eth2 MAC Based 0 Authentications - │ └────────────────────────────────────────────────────────────────────────────┘ ╒ VLAN Assignment ═══════════════════════════════════════════════════════════╕ │PORT ENABLED STATE FROM ASSIGNING-CLIENT VLAN │ │eth1 Yes Unassigned - - - │ │eth2 Yes Unassigned - - - │ └────────────────────────────────────────────────────────────────────────────┘ - Use 'show port-access audit' to display related events in the audit log. - Use 'show port-access INSTANCE' to show details for a specific instance. - Use 'port-access instance-dividers' to enable dividers between instances in the tables. example:/#>
In addition the ports eth1 and eth2 are in their starting VLAN (vlan1):
example:/#> show vlan VID NAME TAGGED/UNTAGGED/POLICY NEST 1 vlan1 T: U: eth1..eth2, eth4 10 vlan10 T: U: eth5 20 vlan20 T: U: eth3 example:/#> example:/#> show port PORT LINK TYPE SPEED STATE OWNER/VLAN eth1 Up N/A Unknown Forwarding vlan U:1 eth2 Up N/A Unknown Forwarding vlan U:1 eth3 Up N/A Unknown Forwarding vlan U:20 eth4 Up N/A Unknown Forwarding vlan U:1 eth5 Up N/A Unknown Forwarding vlan U:10 example:/#>
After Authentication
Now let’s assume that the WeOS device observes frames from host H1 with MAC address 00:11:22:33:44:55 on port eth1 and from host H2 with MAC address 00:aa:bb:cc:dd:ee on port eth2. After successful MAB authentication, the ports eth1 and eth2 should be assigned to VLAN 10 and VLAN 20 respectively, and the status should look something like this:
example:/#> show port-access Number of Port Access Instances: 1 Table Instance Dividers : Disabled ╒ 802.1X Authentications ════════════════════════════════════════════════════╕ │# MAC-ADDRESS SUPPLICANT PORT SERVER DATE-ADDED │ │No authenticated 802.1X clients found. │ └────────────────────────────────────────────────────────────────────────────┘ ╒ MAC Auth Authentications ══════════════════════════════════════════════════╕ │# MAC-ADDRESS PORT METHOD DATE-ADDED │ │1 00:11:22:33:44:55 eth1 Server (10.0.1.2) Mar 12 09:15:23 │ │2 00:aa:bb:cc:dd:ee eth2 Server (10.0.1.2) Mar 12 09:15:45 │ └────────────────────────────────────────────────────────────────────────────┘ ╒ Ports ═════════════════════════════════════════════════════════════════════╕ │PORT METHOD STATE AUTHENTICATED-MAC │ │eth1 MAC Based 1 Authentication 00:11:22:33:44:55 │ │eth2 MAC Based 1 Authentication 00:aa:bb:cc:dd:ee │ └────────────────────────────────────────────────────────────────────────────┘ ╒ VLAN Assignment ═══════════════════════════════════════════════════════════╕ │PORT ENABLED STATE FROM ASSIGNING-CLIENT VLAN │ │eth1 Yes Assigned Server 00:11:22:33:44:55 VID 10 (vlan10) │ │eth2 Yes Assigned Server 00:aa:bb:cc:dd:ee VID 20 (vlan20) │ └────────────────────────────────────────────────────────────────────────────┘ - Use 'show port-access audit' to display related events in the audit log. - Use 'show port-access INSTANCE' to show details for a specific instance. - Use 'port-access instance-dividers' to enable dividers between instances in the tables. example:/#>
The VLAN and port status should now also reflect the new VLAN assignment for the ports:
example:/#> show vlan VID NAME TAGGED/UNTAGGED/POLICY NEST 1 vlan1 T: U: eth4 10 vlan10 T: U: eth1, eth5 20 vlan20 T: U: eth2..eth3 example:/#> example:/#> show port PORT LINK TYPE SPEED STATE OWNER/VLAN eth1 Up N/A Unknown Forwarding vlan U:10 eth2 Up N/A Unknown Forwarding vlan U:20 eth3 Up N/A Unknown Forwarding vlan U:20 eth4 Up N/A Unknown Forwarding vlan U:1 eth5 Up N/A Unknown Forwarding vlan U:10 example:/#>
As you can see, eth1 has been dynamically assigned to VLAN 10 (vlan10) and eth2 has been assigned to VLAN 20 (vlan20) based on the authentication information received from the RADIUS server for their respective MAC addresses. The ports are now untagged members of their respective assigned VLANs instead of the initial VLAN 1.
Regarding Multiple MAC Addresses on the Same Port
At this point the port’s VLAN is more or less “locked” to the first authenticated MAC address. If another device with a different MAC address tries to authenticate on the same port, it will be authenticated, but the port will remain in the VLAN assigned by the first authenticated MAC address. This behaviour follows the MAC Based port method. For more information about port methods and their behaviour, see the Port Access Control Guide. This is particularly relevant in scenarios where a single port may have a switch or hub behind it with multiple devices, or where a device may change its MAC address and reconnect.
Ports eth1 and eth2 will now remain assigned to VLAN 10 and VLAN 20 respectively until the authenticated clients are deauthenticated, either by disconnecting, when the port is brought down, etc. When this happens the ports will be moved back to their starting VLANs, in this use case it is VLAN 1.