Chapter 8: Security Features 139
MAC-based 802.1X The MAC-Based Authentication is an extension to IEEE 802.1X. This feature
focuses on supporting authentication of multiple clients per port; that is, though a
port is authorized by one of the clients connected to the port, the other clients that
are connected to the same port of the switch do not have access to the port.
Instead, every client must authenticate itself before the client can get access to the
port.
When a client authenticates itself initially on the network, the switch acts as the
authenticator to the clients on the network, as shown in the following figure. The
switch forwards authentication requests from a client to the RADIUS server. If
the authentication succeeds, the port is placed in an authorized state and the client
is able to forward or receive traffic through the port.
In a standard 802.1X scenario, all subsequent clients in the network that are
connected to the same port need not authenticate to use the port on the switch.
When MAC-based 802.1X authentication is enabled, all the subsequent clients in
the network that are connected to the same port must authenticate themselves to
use the port on the switch.
MAC authentication
bypass
Today, 802.1X has become the recommended port-based authentication method
at the access layer in enterprise networks. However, there may be 802.1X
unaware devices such as printers, fax-machines, and other equipment that would
require access to the network without 802.1X authentication. MAC
VLAN 10 VLAN 20 VLAN 10
Switch
RADIUS
server
To Next Page
