Whenever an operator configures a port in Dot1x authentication mode and
selects the authentication method as internal, then the user credentials
received from the Dot1x supplicant is validated against the IDAS by Dot1x
component. The Dot1x application accesses the Dot1x user database to
check whether the user credentials present in the authentication message
corresponds to a valid user or not. If so then an event is generated which
triggers the Dot1x state machine to send a challenge to the supplicant.
Otherwise a failure is returned to the Dot1x state machine and the user is not
granted access to the port.
If user(s) credentials are changed, the existing user connection(s) are not
disturbed and the changed user(s) credentials are only used when a new EAP
A CLI configuration mode is added in order to configure dot1x users and
their attributes. The Dot1x maintained user database can be exported
(uploaded) or imported (downloaded) to/from a central location using a
MAC Authentication Bypass
Today, 802.1x has become the recommended port-based authentication
method at the access layer in enterprise networks. However, there may be
802.1x unaware devices such as printers, fax-machines etc that would require
access to the network without 802.1x authentication. MAC Authentication
Bypass (MAB) is a supplemental authentication mechanism to allow 802.1x
unaware clients to authenticate to the network. It uses the 802,1x
infrastructure and MAB cannot be supported independent of the Dot1x
MAC Authentication Bypass (MAB) provides 802.1x unaware clients
controlled access to the network using the devices' MAC address as an
identifier. This requires that the known and allowable MAC address and
corresponding access rights be pre-populated in the authentication server.
MAB only works when the port control mode of the port is MAC-based.
Port access by MAB clients is allowed if the Dot1x user database has
corresponding entries added for the MAB clients with user name and
password attributes set to the MAC address of MAB clients.