Since 5.0x908 there is support for MAC Authentication Bypass & VLAN assignment in univention-radius. You can find the documentation here:
Mac-Authentication-Bypass-With-Computer-Objects
However, here is some more information that doesn’t really fit into the official documentation.
First the configuration of a Cisco switch with IOS 15. In this case it’s an old Cisco 2960 8-port switch. The config is just intended to show as an example, not a good and sane config for production use. Other switches from same or different vendors might need different configuration:
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c2960
!
boot-start-marker
boot-end-marker
!
enable secret 5 <secretpassword>
!
username admin privilege 7 secret 5 <secretpassword>
aaa new-model
!
!
aaa group server radius UCS
server name UCS-1
!
aaa authentication login default group UCS local
aaa authentication login vty_list group UCS local enable
aaa authentication dot1x default group UCS
aaa authorization console
aaa authorization exec default group UCS local
aaa authorization exec vty_list group UCS local
aaa authorization network default group UCS
aaa accounting update newinfo
aaa accounting dot1x default start-stop group UCS
aaa accounting exec default start-stop group UCS
aaa accounting network default start-stop group UCS
!
aaa server radius dynamic-author
client <IP address Radius 1> server-key 7 <secretpassword>
client <IP address Radius 2> server-key 7 <secretpassword>
!
aaa session-id common
system mtu routing 1500
!
!
no ip domain-lookup
ip domain-name <domain>
ip name-server <IP address of nameserver>
!
mab request format attribute 1 groupsize 2 separator : lowercase
!
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1-1001 priority 8192
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
interface Loopback0
no ip address
!
interface FastEthernet0/1
description endhost
switchport access vlan 200
switchport mode access
switchport voice vlan 10
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security
priority-queue out
authentication event fail action authorize vlan 2
authentication event server dead action authorize vlan 200
authentication event server dead action authorize voice
authentication event no-response action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
mls qos trust device cisco-phone
dot1x pae authenticator
dot1x timeout quiet-period 3
dot1x timeout tx-period 2
dot1x timeout supp-timeout 10
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface GigabitEthernet0/1
description uplink1
switchport mode trunk
media-type rj45
priority-queue out
mls qos trust cos
!
interface GigabitEthernet0/2
description uplink2
switchport mode trunk
media-type rj45
priority-queue out
mls qos trust cos
!
interface Vlan1
ip address dhcp
!
ip default-gateway <IP address default gw>
no ip http server
no ip http secure-server
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server dead-criteria time 30 tries 3
radius-server timeout 10
radius-server deadtime 10
!
radius server UCS-1
address ipv4 <IP address Radius 1> auth-port 1812 acct-port 1813
key 7 <secretpassword>
!
radius server UCS-2
address ipv4 <IP address Radius 2> auth-port 1812 acct-port 1813
key 7 <secretpassword>
!
line con 0
session-timeout 30
exec-timeout 30 0
password 7 <secretpassword>
authorization exec vty_list
login authentication vty_list
stopbits 1
line vty 0 4
session-timeout 30
access-class 23 in vrf-also
exec-timeout 30 0
password 7 <secretpassword>
authorization exec vty_list
login authentication vty_list
transport input ssh
line vty 5 15
session-timeout 30
access-class 23 in vrf-also
exec-timeout 30 0
password 7 <secretpassword>
authorization exec vty_list
login authentication vty_list
transport input ssh
!
end
MAB is only configured on port fa0/1. Radius authentication is also configured for login via serial console and SSH access.
Important to note is the line mab request format attribute 1 groupsize 2 separator : lowercase which configures the format of the MAC address and how it is send to the RADIUS server. You can read more in Cisco documentation at Configurable MAB Username and Password.
When nothing is configured or the default VLAN is being assigned, the VLAN assignment shows like this:
sh vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Gi0/2
10 VLAN0010 active Fa0/1
189 VLAN0189 active
200 VLAN0200 active
300 vlan300 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Port Fa0/1 is assigned to VLAN ID 1, the default VLAN of the switch.
When now changing the VLAN ID on the computer object by changing the group membership to “VLAN300” group (which has the VLAN ID 300 assigned), the switch will assign the new VLAN to the port (after a shutdown/no shutdown in this example):
c2960(config-if)#shut
c2960(config-if)#
*Jan 2 00:16:27.632: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
*Jan 2 00:16:28.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
c2960(config-if)#no shut
c2960(config-if)#
*Jan 2 00:16:42.967: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jan 2 00:16:43.579: %AUTHMGR-5-START: Starting 'mab' for client (28cd.4cff.xxxx) on Interface Fa0/1 AuditSessionID C0A800C20000001C000F841A
*Jan 2 00:16:43.638: %MAB-5-SUCCESS: Authentication successful for client (28cd.4cff.xxxx) on Interface Fa0/1 AuditSessionID C0A800C20000001C000F841A
*Jan 2 00:16:43.638: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (28cd.4cff.xxxx) on Interface Fa0/1 AuditSessionID C0A800C20000001C000F841A
*Jan 2 00:16:43.638: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/1 AuditSessionID C0A800C20000001C000F841A
*Jan 2 00:16:43.973: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Jan 2 00:16:44.409: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (28cd.4cff.xxxx) on Interface Fa0/1 AuditSessionID C0A800C20000001C000F841A
c2960(config-if)#
The RADIUS server is logging this event:
Tue Jan 16 12:07:20 2024 : Info: rlm_ldap (ldap): Opening additional connection (6), 1 of 31 pending slots used
Tue Jan 16 12:07:20 2024 : Auth: (1) Login OK: [<computer>$] (from client <supplicant> port 50001 cli 28-CD-4C-FF-FD-BD)
The output of show vlan brief reflects the change of the VLAN ID:
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5
Fa0/6, Fa0/7, Fa0/8, Gi0/2
10 VLAN0010 active Fa0/1
189 VLAN0189 active
200 VLAN0200 active
300 vlan300 active Fa0/1
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
Note: VLAN ID 10 is assigned to be a voice VLAN. This is a way of (at least) Cisco switches to provide Ethernet connection to both IP telephones and computers on the same wire. This is independent from assigning the VLAN ID for the computer itself.
Please also remember the note of the official UCS documentation:
Activating
freeradius/conf/allow-mac-address-authenticationignores the Univention Configuration Registry Variableradius/mac/whitelistingand the checkbox Allow network access at both on the computer object and in the group setting.