Skip to main content

MAC Authentication Bypass (MAB)

MAB and the Zero Trust Campus

The Nile Access Service is built on the principles of a "Zero Trust Campus," ensuring that no user or device is implicitly trusted. As part of this security model, the Nile Access Service supports MAC Authentication Bypass (MAB) as an authentication method for devices that cannot accommodate the 802.1X standard.

While MAB provides network access for non-802.1X capable devices, such as printers and IoT equipment, it is essential to maintain the principles of Zero Trust. Nile's implementation of MAB includes additional security measures to isolate these devices and limit their potential impact on the network.

Why Use MAB?

Nile requires all wired access to be authenticated before granting network connectivity. The Nile Access Service supports three different wired authentication methods:

  1. Wired 802.1X authentication (requires a RADIUS server)
  2. Wired RADIUS MAB authentication (requires a RADIUS server)
  3. Nile Portal Wired MAB authentication

MAB is a crucial authentication method for devices that cannot support the 802.1X standard, ensuring comprehensive coverage and secure access to the Nile network.

Configuring MAB

Nile provides flexible options for configuring MAB within the Nile Access Service:

Uploading a MAC Address List
You can upload a list of MAC addresses for wired MAB authentication by navigating to the Nile Portal (Settings > Access Management > Wired) and providing the following information:

  • MAC address: The device's MAC address (mandatory)
  • Segment: The network segment to which the device should be assigned (required for "Allow" status, optional for "Deny")
  • Lock to Port: Lock the device to a specific switch port (optional)
  • Site, Building, Floor: Restrict the device to a specific geographical location (optional)
  • Allow or Deny: Specify whether to allow or deny access for the device (mandatory)

Enabling Auto-MAB for Specific Device Types
You can also configure Nile to automatically authenticate devices based on their Organizational Unique Identifier (OUI), the first 24 bits of a MAC address that identify the device manufacturer. This can be done in the Nile Portal (Settings > Access Management > Wired > Add Device > OUI/MAC), where you can select the segment, status (Approved/Denied), and geographical scope for the OUI-based policy.

MAB Port Locking and Geographical Scope
Nile offers additional security features for MAB, including the ability to "Lock to Port" and restrict devices to specific geographical locations ("Geo Scope"). These options help mitigate the risks associated with MAB by ensuring that devices can only connect to authorized switch ports and locations.

Disabling Nile Wired Authentication

Nile's network is designed with security best practices in mind, and you cannot disable MAB authentication entirely. However, you can create a catch-all "allow all" policy to grant network access to all devices, assigning them to a specific segment. While this approach is not recommended, it can be enabled in the Nile Portal (Settings > Access Management > Wired > Add Device > Allow all MACs).

Remember that the "allow all" policy will automatically create a unique MAC-allowed entry for each device when it first connects to the Nile switch. Deleting the "allow all" policy will not impact connected devices or delete the specific policies that were auto-created.

By understanding the role of MAB within the Nile Access Service and the available configuration options, you can ensure that non-802.1X capable devices are granted secure network access while maintaining the principles of the Zero Trust Campus.

Back to top