Netgear M4300-24X24F (XSM4348S) - Stackable Managed Switch with 48x10G including 24x10GBASE-T and 24xSFP+ Layer 3 Guia Do Administrador
MAB
375
Managed Switches
MAC Authentication Bypass Concepts
MAC Authentication Bypass (MAB) provides 802.1X-unaware clients controlled access to the
network by using the MAC address of the client device as the identifier.
network by using the MAC address of the client device as the identifier.
MAB has the following requirements:
•
You must preconfigure the known and allowable MAC addresses and corresponding
access rights in the authentication server.
access rights in the authentication server.
•
The port control mode of the port must be MAC-based.
You can configure MAB on a per-port basis. If you configure MAB on a port and the port
receives a packet from an unknown MAC address, the following sequence of events can
occur:
receives a packet from an unknown MAC address, the following sequence of events can
occur:
1.
The authenticator sends an EAPOL Request ID packet to the supplicant and the switch
starts a timer that is based on the guest VLAN period for the supplicant.
starts a timer that is based on the guest VLAN period for the supplicant.
2.
If the client does not respond when the timer expires, the switch treats the client as an
802.1X-unaware client.
802.1X-unaware client.
3.
The authenticator sends a request to the authentication server with the MAC address of the
client in hhhhhhhhhhhh (nondotted decimal MAC format) format as the user name and the
MD5 hash of the MAC address as the password.
client in hhhhhhhhhhhh (nondotted decimal MAC format) format as the user name and the
MD5 hash of the MAC address as the password.
4.
The authentication server checks its preconfigured database for the authorized MAC
addresses and returns either an Access-Accept or Access-Reject message, depending on
whether the server can find the MAC address in its database.
addresses and returns either an Access-Accept or Access-Reject message, depending on
whether the server can find the MAC address in its database.
The switch can place the 802.1X-unaware client in a VLAN that is assigned by the
RADIUS server or apply a specific filter ID to the client traffic.
RADIUS server or apply a specific filter ID to the client traffic.
MAB initiates only after the 802.1X guest VLAN period times out. If the client responds to any
of the EAPOL identity requests, MAB does not initiate for that client. MAB and guest VLANs
are mutually exclusive. If you configure a guest VLAN instead of MAB on a port and the
802.1X guest VLAN period times out, the switch places the client in the guest VLAN. If you
do not configure a guest VLAN or MAB on a port and the 802.1X guest VLAN period times
out, the switch denies the client access.
of the EAPOL identity requests, MAB does not initiate for that client. MAB and guest VLANs
are mutually exclusive. If you configure a guest VLAN instead of MAB on a port and the
802.1X guest VLAN period times out, the switch places the client in the guest VLAN. If you
do not configure a guest VLAN or MAB on a port and the 802.1X guest VLAN period times
out, the switch denies the client access.
The following figure illustrates MAB operation.