Users Guide

ManualsBrandsDell ManualsAccess PlatformsC9000 Series Line Cards

111

112

113

114

115

116

117

118

119

120

to the Request Identity frame. Then, if MAB authentication is enabled, the switch tries to authenticate

every MAC it learns on the port, up to 128 MACs, which is the maximum number of supplicants that

802.1X can authenticate on a single port in multi-authentication mode.

If a supplicant that has been authenticated using MAB starts to speak EAPoL, the switch re-authenticates

that supplicant using 802.1X first, while keeping the MAC authorized through the re-authentication

process.

Configuring MAC Authentication Bypass

To configure MAB in multi-supplicant authentication mode:

1. Configure the following attributes on a RADIUS Server:

• Attribute 1—User-name: Use the supplicant MAC address in hex format without any colons. For

example, enter 10:34:AA:33:44:F8 as 1034AA3344F8.

• Attribute 2—Password: Use the supplicant MAC address, but encrypted in MD5.

• Attribute 4—NAS-IP-Address: IPv4 address of the switch that is used to communicate with the

RADIUS server.

• Attribute 5—NAS -Port: The port number of the interface being authorized entered as an integer.

• Attribute 30—Called-Station-Id: MAC address of the ingress interfaces of the authenticator.

• Attribute 31—Calling-Station-Id: MAC address of the 802.1X supplicant.

• Attribute 87—NAS-Port-Id: The name of the interface being authorized entered as a string.

NOTE: Only attributes 1 and 2 are used for MAB; Attributes 30 and 31 are not mandatory in the

MAB method.

2. Enter INTERFACE mode on an interface or a range of interfaces.

INTERFACE mode

interface [range]

3. Enable MAC authentication bypass.

INTERFACE mode

dot1x mac-auth-bypass

4. (Optional) Use MAB authentication only — do not use 802.1X authentication first. If MAB fails the port

or the MAC address is blocked, the port is placed in the guest VLAN (if configured). 802.1x

authentication is not even attempted. Re-authentication is performed using 802.1X timers.

INTERFACE mode

dot1x mac-auth mab-only

Example of Verifying MAB Configuration on an 802.1X-enabled Interface

Verify the MAB and 802.1X configuration using the show dot1x interface command from EXEC

Privilege mode.

The bold text shows that MAB is enabled on the interface.

Dell#show dot1x interface Te 0/0

802.1X information on Te 0/0:

----------------------------

Dot1x Status: Enable

Port Control: AUTO

Port Auth Status: AUTHORIZED(MAC-AUTH-BYPASS)

Re-Authentication: Disable

Untagged VLAN id: 200

802.1X

115