508 Configuring 802.1X and Port-Based Security
If a port uses MAC-based 802.1X authentication, the option to use MAC
Authentication Bypass (MAB) is available. MAB is a supplemental
authentication mechanism that allows 802.1X unaware clients, such as
printers and fax machines, to authenticate to the network using the client
MAC address as an identifier. The known and allowable MAC address and
corresponding access rights of the client must be pre-populated in the
authentication server.
When a port configured for MAB receives traffic from an unauthenticated
client, the switch (Authenticator):
• Sends a EAP Request packet to the unauthenticated client
• Waits a pre-determined period of time for a response
• Retries – resends the EAP Request packet up to three times
• Considers the client to be 802.1X unaware client (if it does not receive an
EAP response packet from that client)
The authenticator sends a request to the authentication server with the MAC
address of the client in a hexadecimal format as the username and the MD5
hash of the MAC address as the password. The authentication server checks
its database for the authorized MAC addresses and returns an Access-Accept
or an Access-Reject response, depending on whether the MAC address is
found in the database. MAB also allows 802.1X-unaware clients to be placed
in a RADIUS-assigned VLAN or to apply a specific Filter ID to the client
traffic.
NOTE: MAB initiates only after the dot1x guest VLAN period times out. If the
client responds to any of the EAPOL identity requests, MAB does not initiate for
that client.
To Next Page
Loading...
