443
Configuring HABP
The HW Authentication Bypass Protocol (HABP) is intended to enable the downstream network
devices of an access device to bypass 802.1X authentication and MAC authentication configured on
the access device.
As shown in Figure 144,
802.1X authenticator Switch A has two switches attached to it: Switch B and
Switch C. On Switch A, 802.1X authentication is enabled globally and on the ports connecting the
downstream network devices. The end-user devices (the supplicants) run the 802.1X client software
for 802.1X authentication.
The communication between Switch B and Switch D, where the 802.1X client is not supported
(which is typical of network devices), will fail because they cannot pass 802.1X authentication and
their packets will be blocked on Switch A. To allow the two switches to communicate, you can use
HABP.
Figure 144 Network diagram for HABP application
HABP is a link layer protocol that works above the MAC layer. HABP is built on the client-server
model. Generally, the HABP server is enabled on the authentication device that is configured with
802.1X or MAC authentication (such as Switch A in Figure 144), a
nd the attached switches function
as the HABP clients (such as Switch B through Switch E in Figure 144). No devi
ce can function as
both an HABP server and a client at the same time.
Typically, the HABP server sends HABP requests to all its clients periodically to collect their MAC
addresses, and the clients respond to the requests. After the server learns the MAC addresses of all
the clients, it registers the MAC addresses as HABP entries. Then, link layer frames exchanged
between the clients can bypass the 802.1X authentication on ports of the server without affecting the
normal operation of the whole network.
All HABP packets must travel in a specific VLAN. Communication between the HABP server and
HABP clients is implemented through this specific VLAN.
To Next Page
Loading...
Need help?
General
