Table of Contents
Advertisement
Understanding How MAC Authentication Bypass Works
Understanding How MAC Authentication Bypass Works
These sections describe how MAC authentication bypass works on the Catalyst 6500 series switches:
•
•
•
•
Overview
MAC authentication bypass is an alternative to 802.1X that allows network access to devices (such as
printers and IP phones) that do not have the 802.1X supplicant capability. MAC authentication bypass
uses the MAC address of the connecting device to grant or deny network access.
To support MAC authentication bypass, the RADIUS authentication server maintains a database of MAC
addresses for devices that require access to the network. MAC authentication bypass generates a
RADIUS request with a MAC address in the calling-station-id (attribute 31) and service-type
(attribute 6) with value 10.
To get the device's MAC address, the switch port needs to be in the forwarding state in a VLAN. If the
port is not in the forwarding state in a VLAN, unicast traffic cannot enter or exit the switch. Because the
switch port is brought up in the native VLAN with learning disabled on the port, the packets are
redirected to the supervisor engine. When the supervisor engine sees a new MAC address, it installs a
content-addressable memory (CAM) entry with a trap bit that is set to protect the supervisor engine from
unnecessary flooding from that MAC address. The supervisor engine does not redirect further packets
until the MAC authentication is finished. After a successful authentication, the RADIUS server sends a
VLAN, and the port is moved to that VLAN. The trap entry is removed after a successful authentication.
The port that is moved to the RADIUS server-specified VLAN behaves like any other switch port. If a
MAC authentication fails, the port is moved into the authentication failure VLAN (if that VLAN is
configured). (For information on authentication failure VLANs, see the
Failure VLAN" section on page
Understanding Reauthentication of MAC Addresses
In the reauthentication mode, a port stays in the RADIUS server-specified VLAN and tries to
reauthenticate itself. If the reauthentication is successful, the port stays in the RADIUS server-specified
VLAN. If the reauthentication is not successful, the port is either moved back to the authentication
failure VLAN (if that VLAN is configured), or the port is moved from its existing VLAN to an
administratively configured VLAN. Periodic reauthentication can be attempted for the failed port. The
failed port's MAC address CAM entry on the previously authenticated VLAN is removed and the
initialization process forces the port to automatically go into the administratively configured VLAN
where it attempts to reauthenticate itself. If reauthentication is successful, the port is moved to the
RADIUS server-specified VLAN.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
41-2
Overview, page 41-2
Understanding Reauthentication of MAC Addresses, page 41-2
Understanding MAC Authentication Bypass States, page 41-3
Understanding MAC Authentication Bypass Events, page 41-4
40-38.)
Chapter 41
Configuring MAC Authentication Bypass
"Configuring the Authentication
OL-8978-04
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
