DELL S50V User Manual
128
|
802.1X
www.dell.com | support.dell.com
MAB in Single-host and Multi-Host Mode
In single-host and multi-host mode, the switch attempts to authenticate a supplicant using 802.1X. If
802.1X times out because the supplicant does not respond to the Request Identity frame and MAB is
enabled, the switch attempts to authenticate the first MAC it learns on the port. Subsequently, for
single-host mode, traffic from all other MACs is dropped; for multi-host mode, all traffic from all other
MACs is accepted.
802.1X times out because the supplicant does not respond to the Request Identity frame and MAB is
enabled, the switch attempts to authenticate the first MAC it learns on the port. Subsequently, for
single-host mode, traffic from all other MACs is dropped; for multi-host mode, all traffic from all other
MACs is accepted.
After a port is authenticated by MAB, if the switch detects an 802.1X EAPoL start message from the
authenticated MAC, the switch re-authenticates using 802.1X first, while keeping the port authorized.
authenticated MAC, the switch re-authenticates using 802.1X first, while keeping the port authorized.
MAB in Multi-Supplicant Authentication Mode
Multi-supplicant authentication (multi-auth) mode is like the other modes in that the switch first attempts
to authenticate the supplicant using 802.1X. If 802.1X times out because the supplicant does not respond to
the Request Identity frame and MAB authentication is enabled, the switch attempts to authenticate every
MAC it learns on the port, up to 128 MACs, which is the maximum number of supplicants 802.1X can
authenticate on a single port in multi-authentication mode.
to authenticate the supplicant using 802.1X. If 802.1X times out because the supplicant does not respond to
the Request Identity frame and MAB authentication is enabled, the switch attempts to authenticate every
MAC it learns on the port, up to 128 MACs, which is the maximum number of supplicants 802.1X can
authenticate on a single port in multi-authentication mode.
If any supplicant that has been authenticated using MAB starts to speak EAPoL, the switch
re-authenticates that supplicant using 802.1X first, while keeping the MAC authorized through the
re-authentication process.
re-authenticates that supplicant using 802.1X first, while keeping the MAC authorized through the
re-authentication process.
Note: On the C-Series and S-Series, if the switch is in multi-host mode, a MAC address that was
MAB-authenticated but later was disabled from MAB authentication, is not denied access but moved to
the guest VLAN. If the switch is in single-host mode, the MAC address is disallowed access.
MAB-authenticated but later was disabled from MAB authentication, is not denied access but moved to
the guest VLAN. If the switch is in single-host mode, the MAC address is disallowed access.
Step
Task
Command Syntax
Command Mode
1
Configure the following attributes on the RADIUS Server:
•
Attribute 1—User-name: Use the supplicant MAC address in hex format without any colons. For example,
enter 10:34:AA:33:44:F8 as 1034AA3344F8.
enter 10:34:AA:33:44:F8 as 1034AA3344F8.
•
Attribute 2—Password: Use the supplicant MAC address, but encrypted in MD5.
•
Attribute 4—NAS-IP-Address: IPv4 address of the switch that is used to communicate with the RADIUS
server.
server.
•
Attribute 5—NAS -Port: The port number of the interface being authorized entered as an integer.
•
Attribute 30—Called-Station-Id: MAC address of the ingress interfaces of the authenticator.
•
Attribute 31—Calling-Station-Id: MAC address of the 802.1X supplicant.
•
Attribute 87—NAS-Port-Id: The name of the interface being authorized entered as a string.
Note: Only attributes 1 and 2 are used for MAB; Attributes 30 and 31 are not mandatory in the MAB method.
2
Enable MAB.
dot1x mac-auth-bypass
INTERFACE