Table of Contents
Advertisement
their MAC address, and places them into a VLAN different from the VLAN in which unknown devices are
placed.
For an 802.1X-incapable device, 802.1X times out if the device does not respond to the Request Identity
frame. If MAB is enabled, the port is then put into learning state and waits indefinitely until the device sends a
packet. Once its MAC is learned, it is sent for authentication to the RADIUS server (as both the username and
password, in hexadecimal format without any colons). If the server authenticates successfully, the port is
dynamically assigned to a MAB VLAN using a RADIUS attribute 81, or is assigned to the untagged VLAN of the
port. Afterward, packets from any other MAC address are dropped. If authentication fails, the authenticator
waits the quiet-period and then restarts the authentication process.
MAC authentication bypass works in conjunction and in competition with the guest VLAN and authentication-
fail VLAN. When both features are enabled:
1
If authentication fails, the port it is placed into the authentication-fail VLAN.
2
If the host does not respond to the Request Identity frame, the port transitions to MAB initiation state.
3
If MAB times out or MAC authentication fails, the port is placed into the guest VLAN.
If both MAB and re-authentication are enabled, when the re-auth period finishes and whether the previous
authentication was through MAB or 802.1X, 802.1X authentication is tried first. If 802.1X times out, MAB
authentication is tried. The port remains authorized throughout the reauthentication process. Once a port is
enabled/disabled through 802.1X authentication, changes to MAB do not take effect until the MAC is asked to
re-authenticate or the port status is toggled.
MAB in Single-host and Multi-Host Mode
In single-host and multi-host mode, the switch attempts to authenticate a supplicant using 802.1X. If 802.1X
times out because the supplicant does not respond to the Request Identity frame and MAB is enabled, the
switch attempts to authenticate the first MAC it learns on the port. Afterwards, for single-host mode, traffic
from all other MACs is dropped; for multi-host mode, all traffic from all other MACs is accepted.
After a port is authenticated by MAB, if the switch detects an 802.1X EAPoL start message from the
authenticated MAC, the switch re-authenticates using 802.1X first, while keeping the port authorized.
NOTE:
If the switch is in multi-host mode, a MAC address that was MAB-authenticated but later was
disabled from MAB authentication, is not denied access but moved to the guest VLAN. If the switch is in
single-host mode, the MAC address is disallowed access.
MAB in Multi-Supplicant Authentication Mode
Multi-supplicant authentication (multi-auth) mode is similar to other 802.1X modes in that the switch first
attempts to authenticate a supplicant using 802.1X. 802.1X times out if the supplicant does not respond to the
Request Identity frame. Then, if MAB authentication is enabled, the switch tries to authenticate every MAC it
learns on the port, up to 128 MACs, which is the maximum number of supplicants that 802.1X can
authenticate on a single port in multi-authentication mode.
If a supplicant that has been authenticated using MAB starts to speak EAPoL, the switch re-authenticates that
supplicant using 802.1X first, while keeping the MAC authorized through the re-authentication process.
802.1X
123
Advertisement
Table of Contents
Troubleshooting
