Mac Authentication Bypass - Dell Force10 C150 Configuration Manual

MAC Authentication Bypass

MAC Authentication Bypass
MAC Authentication Bypass (MAB) enables you to provide MAC-based security by allowing only known
MAC addresses within the network using a RADIUS server.
802.1X-enabled clients can authenticate themselves using the 802.1X protocol. Other devices that do not
use 802.1X—like IP phones, printers, and IP fax machines—still need connectivity to the network. The
guest VLAN provides one way to access the network. However, placing trusted devices on the quarantined
VLAN is not the best practice. MAB allows devices that have known static MAC addresses to be
authenticated using their MAC address, and places them into a VLAN different from the VLAN in which
unknown devices are placed.
For an 802.1X-incapable device, 802.1X time will out if the device does not respond to the Request
Identity frame. If MAB is enabled, the port is then put into learning state and waits indefinitely until the
device sends a packet. Once its MAC is learned, it is sent for authentication to the RADIUS server (as both
the username and password, in hexadecimal format without any colons). If the server authenticates
successfully, the port is dynamically assigned to a MAB VLAN using a RADIUS attribute 81, or is
assigned to the untagged VLAN of the port. Afterwards, packets from any other MAC address are
dropped. If authentication fails, the authenticator waits the quiet-period and then restarts the authentication
process.
MAC authentication bypass works in conjunction and in competition with the guest VLAN and
authentication-fail VLAN. When both features are enabled:
1. If authentication fails, the port it is placed into the authentication-fail VLAN.
2. If the host does not respond to the Request Identity frame, the port transitions to MAB initiation state.
3. If MAB times out or MAC authentication fails, the port is placed into the guest VLAN.
If both MAB and re-authentication are enabled, when the re-auth period finishes and whether the previous
authentication was through MAB or 802.1X, 802.1X authentication is tried first. If 802.1X times out,
MAB authentication is tried. The port remains authorized throughout the reauthentication process. Once a
port is enabled/disabled through 802.1X authentication, changes to MAB do not take effect until the MAC
is asked to re-authenticate or the port status is toggled.
Note: On the C-Series and S-Series, a MAB-authenticated port becomes unauthorized after an RPM
failover.
is supported on platforms:
c s
802.1X | 127