Every production 802.1X deployment has devices that do not support 802.1X: network printers, IP cameras, badge readers, environmental monitoring sensors, VoIP phones from non-Cisco vendors, and legacy industrial equipment. These devices cannot send EAPOL frames or run a supplicant. Without a fallback mechanism, every port hosting such a device is permanently unauthorized.
MAC Authentication Bypass (MAB) is that fallback. When the switch times out waiting for an 802.1X supplicant, it sends the device's MAC address to ISE as the username and password in a RADIUS Access-Request. ISE evaluates the MAC against its endpoint database and returns an authorization policy — the same VLAN, dACL, and session attribute mechanism used for full 802.1X.
The fundamental limitation of MAB is that MAC addresses can be spoofed. An attacker who knows an authorized MAC address can connect a laptop, set its MAC to match, and pass MAB authentication. This is why MAB policy design matters: MAB-authenticated devices should receive the minimum access necessary, and ISE's profiling engine should verify that the device characteristics match the claimed device type.
This article assumes [Article 8: Basic 802.1X Port Configuration on Cisco IOS XE Switches] and [Article 9: Configuring Cisco ISE as a RADIUS Server for 802.1X] are complete.
How MAB Works on the Switch
When a port is configured with both dot1x pae authenticator and mab:
- The switch sends an EAP-Request/Identity frame and waits for a response
- If no EAPOL response is received within
tx-period * max-reauth-reqseconds, MAB begins - The switch sends a RADIUS Access-Request to ISE with:
User-Name: MAC address in the format aabbccddeeff (lowercase, no delimiters — default on IOS XE 17.9.x)Password: Same MAC address (also used as the password for PAP-based MAB)Service-Type: Call Check (value 10) — this is ISE's indicator that this is a MAB requestCalling-Station-Id: MAC address in aa-bb-cc-dd-ee-ff format (hyphen-delimited, uppercase)NAS-Port-Type: Ethernet
- ISE receives the Access-Request, recognizes it as MAB (Service-Type = Call Check), and checks its endpoint database
- ISE returns Access-Accept or Access-Reject based on the endpoint's identity group and authorization policy
The Service-Type: Call Check attribute is what distinguishes a MAB RADIUS request from a regular 802.1X RADIUS request in ISE's Authentication Policy matching logic.
Switch Configuration
The MAB-specific switch configuration is minimal because most of the work is done in the base 802.1X interface configuration. The key additions for MAB are mab and the fallback order settings.
interface GigabitEthernet1/0/12
description Printer - HP LaserJet Pro
switchport mode access
switchport access vlan 10
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
!
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication event fail action authorize vlan 40
authentication event server dead action authorize vlan 50
authentication event server alive action reinitialize
!
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 2
!
mab
Line-by-line explanation:
authentication order dot1x mab — 802.1X is tried first. Only after 802.1X times out (tx-period * max-reauth-req seconds = 10 * 2 = 20 seconds here) does MAB begin. For ports that exclusively host non-supplicant devices (dedicated printer ports, camera ports), you can swap the order to mab dot1x to reduce authentication time, but this is generally not recommended for shared ports.
authentication priority dot1x mab — if MAB has authenticated a device and then an EAPOL frame arrives on the port (a user plugs in a laptop to a printer's network port, for example), 802.1X takes priority and preempts the MAB session. This prevents a scenario where a supplicant-capable device hides behind an already-MAB-authenticated connection.
dot1x max-reauth-req 2 — reduced from 3 to 2 for printer/device ports. Two retransmits * 10 second tx-period = 20 seconds before MAB fallback. For dedicated non-supplicant ports, reducing this speeds up network access for the device.
mab — enables MAC Authentication Bypass. Without this command, 802.1X times out and the port falls to the Guest VLAN (if configured) or stays unauthorized. There is no explicit MAB configuration block required on the switch — mab is the only command.
Ports Dedicated to Non-Supplicant Devices
For ports that will never have an 802.1X supplicant — dedicated to a printer, IP camera, or badge reader — you can optimize by reducing the dot1x timeout:
interface GigabitEthernet1/0/24
description IP Camera - Axis P3245
switchport mode access
switchport access vlan 10
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
!
authentication host-mode single-host
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication event server dead action authorize vlan 50
authentication event server alive action reinitialize
!
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-reauth-req 1
!
mab
authentication order mab dot1x — MAB is tried first. The switch still sends one EAP-Request/Identity (because dot1x pae authenticator is present), but if no response arrives in 5 seconds * 1 retry = 5 seconds, MAB runs immediately. Total time to authentication: approximately 5-6 seconds instead of 20-30 seconds.
authentication host-mode single-host — only one device is allowed on this port. If a second MAC address is detected (someone connecting another device), the port goes unauthorized. Appropriate for cameras and badge readers where the connected device never changes.
ISE Configuration
Step 1: Endpoint Identity Groups
ISE organizes endpoints into Endpoint Identity Groups for policy matching. Create groups for each device category:
Navigation: Administration > Identity Management > Groups > Endpoint Identity Groups > Add
Create the following groups:
Name: Printers
Description: Network printers and MFPs (MAB authenticated)
Parent: Endpoint Identity Groups
Name: IP-Cameras
Description: IP surveillance cameras (MAB authenticated)
Parent: Endpoint Identity Groups
Name: Badge-Readers
Description: Physical access control readers (MAB authenticated)
Parent: Endpoint Identity Groups
Name: IoT-Sensors
Description: Environmental and industrial IoT sensors (MAB authenticated)
Parent: Endpoint Identity Groups
Name: Unknown-MAB
Description: MAC addresses not yet classified (MAB authenticated, restricted access)
Parent: Endpoint Identity Groups
Step 2: Add Endpoints to Identity Groups
For known MAC addresses, add them to identity groups manually or via import:
Navigation: Administration > Identity Management > Identities > Endpoints > Add
MAC Address: A4:B1:E9:F0:3C:01
Static Assignment: Yes
Identity Group: Printers
Description: HP LaserJet Pro M404dn - Finance Dept
For large deployments, use the bulk import feature:
Navigation: Administration > Identity Management > Identities > Endpoints > Import
CSV format:
MACAddress,StaticAssignment,StaticGroupAssignment,IdentityGroup,Description
a4b1e9f03c01,TRUE,TRUE,Printers,HP LaserJet Pro M404dn - Finance
00408c112233,TRUE,TRUE,IP-Cameras,Axis P3245 - Lobby
001a2b3c4d5e,TRUE,TRUE,Badge-Readers,HID Reader - Main Entrance
For environments where MAC addresses are not known in advance, ISE's profiling engine classifies endpoints automatically based on DHCP, HTTP, SNMP, and RADIUS attributes. Configure profiling and let ISE populate the identity groups dynamically.
Step 3: Configure Profiling (Recommended)
ISE profiling classifies endpoints by analyzing network behaviors and attributes. For MAB environments, profiling determines what type of device is connected before authorization policy is applied.
Navigation: Administration > System > Deployment > [ISE Node] > Profiling Configuration
Enable:
RADIUS probe: On (receives RADIUS attributes for profiling)
DHCP probe: On (analyzes DHCP requests — hostname, vendor class ID, options)
HTTP probe: On (analyzes HTTP User-Agent from redirect or sensor)
SNMP probe: On (polls SNMP on endpoints — useful for network devices)
SNMP Trap probe: On
DNS probe: On
With profiling enabled, ISE builds an endpoint profile for each MAC address it sees. Common profiles relevant to MAB:
HP-Printer— matched by DHCP vendor class ID (HP JetDirect) and SNMP OIDAxis-Camera— matched by DHCP hostname pattern and HTTP User-AgentCisco-IP-Phone-8800— matched by DHCP options, CDP (via SNMP), and RADIUS Calling-Station-Id OUI
The profiling engine assigns each endpoint a profiling policy. Use EndpointProfile as a condition in the authorization policy to match specific device types without requiring manual MAC address assignment.
Step 4: Allowed Protocols for MAB
ISE uses a specific Allowed Protocols configuration for MAB. The built-in MAB Allowed Protocols list is configured for this purpose:
Navigation: Policy > Policy Elements > Results > Authentication > Allowed Protocols
The built-in MAB Allowed Protocols allows only PAP/ASCII (which is how the MAC address password is sent). Do not use the same Allowed Protocols list for MAB and 802.1X — keep them separate. ISE recognizes MAB by the Service-Type: Call Check attribute, and the Authentication Policy routes these requests to the MAB rule.
Step 5: Authentication Policy for MAB
Navigation: Policy > Policy Sets > Default > Authentication Policy
Rule Name: Wired_MAB
Priority: 2 (below the Dot1X rule)
Conditions:
- Wired_MAB (built-in compound condition: NAS-Port-Type EQUALS Ethernet
AND Radius:Service-Type EQUALS Call Check)
Use (Allowed Protocols): MAB
Use (Identity Source): Internal Endpoints
Options:
If user not found: Continue (allow unknown MACs to reach authorization policy)
If process failed: Drop
If user not found: Continue — critical for MAB. Unlike 802.1X where an unknown user should be rejected, MAB should continue to the authorization policy even when the MAC is not in the Internal Endpoints database. The authorization policy then decides whether to deny, place in Guest VLAN, or apply a limited-access profile. If you set this to Reject, every unregistered MAC receives an Access-Reject instead of going through authorization policy evaluation.
Step 6: Authorization Policy for MAB
Navigation: Policy > Policy Sets > Default > Authorization Policy
Rule Name: MAB_Printers
Priority: 10
Conditions:
- Network_Access:AuthenticationMethod EQUALS PAP_ASCII
- AND: Endpoint:IdentityGroup EQUALS Printers
- OR: EndpointProfile EQUALS HP-Printer
Authorization Profile: VLAN10_Corp_Data (with printer-specific dACL if needed)
Rule Name: MAB_IP_Cameras
Priority: 11
Conditions:
- Network_Access:AuthenticationMethod EQUALS PAP_ASCII
- AND: Endpoint:IdentityGroup EQUALS IP-Cameras
- OR: EndpointProfile EQUALS Axis-Camera
Authorization Profile: VLAN10_Corp_Data (cameras on dedicated camera VLAN in production)
Rule Name: MAB_Badge_Readers
Priority: 12
Conditions:
- Network_Access:AuthenticationMethod EQUALS PAP_ASCII
- AND: Endpoint:IdentityGroup EQUALS Badge-Readers
Authorization Profile: VLAN10_Corp_Data (badge readers on dedicated security VLAN)
Rule Name: MAB_Unknown_Endpoint
Priority: 20
Conditions:
- Network_Access:AuthenticationMethod EQUALS PAP_ASCII
- AND: Endpoint:IdentityGroup NOT EQUALS Printers
- AND: Endpoint:IdentityGroup NOT EQUALS IP-Cameras
- AND: Endpoint:IdentityGroup NOT EQUALS Badge-Readers
Authorization Profile: VLAN30_Guest
Rule Name: MAB_Deny_Unlisted
Priority: 25 (before Default_Deny, explicit deny for unknown MAB with no group)
Conditions:
- Network_Access:AuthenticationMethod EQUALS PAP_ASCII
Authorization Profile: DenyAccess
The condition Network_Access:AuthenticationMethod EQUALS PAP_ASCII is the reliable way to identify MAB sessions in the authorization policy. It pins the rule to sessions where the authentication was PAP — the mechanism used by MAB — rather than 802.1X EAP.
The MAB_Unknown_Endpoint rule places endpoints with registered MACs (in Internal Endpoints) but no assigned identity group into Guest VLAN 30. These are known-but-unclassified endpoints — they exist in the database but haven't been assigned to a device-type group. The Guest VLAN provides limited access while the administrator reviews and categorizes the endpoint.
The MAB_Deny_Unlisted rule catches MAC addresses that are not in the Internal Endpoints database at all (new, unregistered devices). These receive Access-Reject. In an open enrollment environment, you might replace this with a Guest VLAN profile to allow unregistered devices temporary access.
Configuring MAB MAC Address Format on ISE
IOS XE 17.9.x sends the MAC address in the User-Name attribute as lowercase with no delimiters: a4b1e9f03c01. ISE must be configured to accept this format.
Navigation: Administration > Identity Management > External Identity Sources > [Not applicable — this is in ISE global settings]
Navigation: Administration > System > Settings > Protocols > RADIUS
Under MAC Address Normalization:
Endpoint MAC Address Normalization: Enabled
Format: No Delimiter (aabbccddeeff)
Case: Lowercase
Confirm this matches what the switch sends. Mismatched MAC formats cause ISE to not find the endpoint in its database even when the MAC is correctly registered. The Calling-Station-Id attribute (which uses AA-BB-CC-DD-EE-FF format by default) is used for endpoint lookup by the profiling engine; the User-Name attribute is what ISE uses for the identity store lookup.
Verifying MAB Authentication
C9300# show authentication sessions interface GigabitEthernet1/0/12 details
Interface: GigabitEthernet1/0/12
IIF-ID: 0x3G7D9E5F
MAC Address: a4b1.e9f0.3c01
IPv4 Address: 10.0.10.201
User-Name: a4b1e9f03c01
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: 28800s (server), Remaining: 28741s
Common Session ID: 0A006301000001C6F4F56G30
Server Policies:
Vlan Group: Vlan: 10
Method status list:
Method State
mab Authc Success
Key verification points:
User-Name: a4b1e9f03c01— the MAC address in lowercase no-delimiter format, confirming MAB authenticated this session (not dot1x)Method: mab / Authc Success— MAB is the authentication method, not dot1xStatus: Authorized— ISE returned Access-Accept for this MACVlan Group: Vlan: 10— ISE assigned VLAN 10 via the Printers authorization rule
C9300# show authentication sessions
Interface MAC Address Method Domain Status Fg Session ID
Gi1/0/1 a4b1.e9f0.3c22 dot1x DATA Auth 0A006301000001B4
Gi1/0/12 a4b1.e9f0.3c01 mab DATA Auth 0A006301000001C6
Gi1/0/24 0040.8c11.2233 mab DATA Auth 0A006301000001C7
Gi1/0/36 001a.2b3c.4d5e mab DATA Auth 0A006301000001C8
The Method column clearly shows which ports are using dot1x vs. MAB. Any port showing mab in the Method column is depending on MAC address authentication, which is a weaker security posture than 802.1X.
On ISE — Live Logs
Navigation: Operations > RADIUS > Live Logs
Status: Authentication Succeeded
Username: a4b1e9f03c01
MAC Address: A4:B1:E9:F0:3C:01
NAS-IP: 10.0.99.1
NAS-Port: GigabitEthernet1/0/12
Auth Policy: Wired_MAB
Authz Policy: MAB_Printers
Authz Profile: VLAN10_Corp_Data
Authentication: MAB
Endpoint Profile: HP-Printer (from profiling)
Identity Group: Printers
The Endpoint Profile: HP-Printer field shows that ISE's profiling engine classified this MAC as an HP Printer, which triggered the MAB_Printers authorization rule via the EndpointProfile EQUALS HP-Printer condition.
MAB in Monitor Mode vs. Closed Mode
The behavior of MAB changes significantly based on the deployment mode on the switch port. In monitor mode (ports default to authorized and authentication runs without enforcement), MAB may not be the right mechanism at all — all traffic passes regardless of authentication result. In closed mode (default deny, only authenticated sessions pass traffic), MAB is the critical fallback for non-supplicant devices. See [Article 26: Monitor Mode vs Low-Impact Mode vs Closed Mode: Choosing Your 802.1X Deployment Strategy] for a full comparison of deployment modes and when each is appropriate.
Troubleshooting
Symptom: Non-supplicant device connects but is never authorized via MAB — show authentication sessions shows the port in connecting state indefinitely.
Cause: mab is not configured on the interface, or the authentication order does not include mab. The switch waits for dot1x indefinitely.
Fix: Verify mab appears in the interface configuration with show run interface GigabitEthernet1/0/12. Also confirm authentication order dot1x mab includes mab. If mab is configured but not triggering, check that dot1x timeout tx-period and dot1x max-reauth-req are set to values that allow reasonable wait time before MAB begins. With tx-period 30 and max-reauth-req 2, MAB does not start for 60 seconds.
Symptom: ISE Live Logs show MAB authentication as "User not found in Internal Endpoints" and the Authorization Policy falls to Default_Deny, even though the MAC is registered in ISE.
Cause: MAC address format mismatch. The switch sends the MAC in aabbccddeeff format but ISE has the MAC registered as AA:BB:CC:DD:EE:FF or AA-BB-CC-DD-EE-FF. ISE's string comparison for endpoint lookup is exact.
Fix: Navigate to Administration > Identity Management > Identities > Endpoints and search for the MAC. Check the stored format. Under Administration > System > Settings > Protocols > RADIUS, verify MAC Address Normalization is enabled and matches the switch's transmission format. Alternatively, re-add the endpoint in the correct format and retest.
Symptom: MAB authenticates the device but places it in Guest VLAN 30 instead of the correct device VLAN — the device is in the Printers identity group.
Cause: The Authorization Policy MAB_Printers rule is not matching. The condition on the rule may use Endpoint:IdentityGroup EQUALS Printers but the ISE identity group name has a different case or parent path, causing a condition evaluation mismatch.
Fix: In ISE Live Logs, expand the authentication event and review the Other Attributes section — look for Endpoint-Profile, EndpointGroup, and IdentityGroup attribute values. Compare these exact strings to the conditions in your Authorization Policy. ISE condition matching is case-sensitive for string comparisons. Also confirm the endpoint's Identity Group assignment is static (not dynamic) if you assigned it manually — dynamic profiling-based assignment can be overridden if the profiling engine reclassifies the endpoint.
Symptom: A laptop with its MAC address spoofed to match a registered printer MAC passes MAB authentication and receives printer-level network access.
Cause: This is the inherent limitation of MAB. MAC address spoofing is trivial and ISE cannot differentiate a spoofed MAC from a legitimate device MAC through MAB alone.
Fix: This is a design issue, not a configuration bug. Mitigations: (1) Use ISE profiling to verify the endpoint's behavior matches the expected device type — a laptop spoofing a printer MAC will have different DHCP vendor class, HTTP User-Agent, and SNMP characteristics. ISE can trigger a CoA to change the authorization if the profiling result changes. (2) Use VLAN segmentation to restrict what MAB-authenticated devices can reach — printers should only be on a printer VLAN with restricted firewall rules. (3) For high-security ports, disable MAB fallback and require 802.1X for all devices.
What's Next: [Article 13: 802.1X Authentication Host Modes: Single-Host, Multi-Host, Multi-Domain, Multi-Auth] — a detailed comparison of all four host modes on Cisco IOS XE, with configuration examples for each and guidance on which mode to use for access ports, IP phone ports, and shared device ports.
