49-12
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 49 Configuring 802.1X Port-Based Authentication
About 802.1X Port-Based Authentication
In a typical deployment, the RADIUS server maintains a database of MAC addresses that require access. When this feature
detects a new MAC address on a port, it generates a RADIUS request with both username and password as the device's MAC
address. After authorization succeeds, the port is accessible to the particular device using the same code path that 802.1X
authentication would take when processing an 802.1X supplicant. If authentication fails, the port moves to the guest VLAN if
configured, or it remains unauthorized.
The Catalyst 4500 series switch also supports reauthentication of MACs on a per-port level. Be aware that the reauthentication
functionality is provided by 802.1X and is not MAB specific. In the reauthentication mode, a port stays in the previous
RADIUS-sent VLAN and tries to re-authenticate itself. If the reauthentication succeeds, the port stays in the RADIUS-sent
VLAN. Otherwise, the port becomes unauthorized and moves to the guest VLAN if one is configured.
For details on how to configure MAB, see the “Configuring 802.1X with MAC Authentication Bypass” section on page 49-60.
Feature Interaction
This section lists feature interactions and restrictions when MAB is enabled. If a feature is not listed, assume that it interacts
seamlessly with MAB (such as Unidirectional Controlled Port).
• MAB can only be enabled if 802.1X is configured on a port. MAB functions as a fall back mechanism for authorizing
MACs. If you configure both MAB and 802.1X on a port, the port attempts to authenticate using 802.1X. If the host fails
to respond to EAPOL requests and MAB is configured, the 802.1X port is opened up to listen to packets and to grab a MAC
address, rather than attempt to authenticate endlessly.
Based on the default 802.1X timer values, the transition between mechanisms takes approximately 90 seconds. You can
shorten the time by reducing the value of the transmission period time, which affects the frequency of EAPOL
transmission. A smaller timer value results in sending EAPOLs during a shorter time interval. With MAB enabled, after
802.1X performs one full set of EAPOLs, the learned MAC address is forwarded to the authentication server for
processing.
The MAB module performs authorization for the first MAC address detected on the wire. The port is considered authorized
once a valid MAC address is received that RADIUS approves of.
802.1X authentication can re-start if an EAPOL packet is received on a port that was initially authorized as a result of
MAB.
Figure 49-6 shows the message exchange during MAB.
To Next Page
Loading...
Need help?
General
