Administrator Guide
Port status and State info for Supplicant: 7a:d9:d9:7d:00:00
Port Auth Status: AUTHORIZED
Untagged VLAN id: 400
Auth PAE State: Authenticated
Backend State: Idle
Port status and State info for Supplicant: 7a:d9:d9:7d:00:01
Port Auth Status: AUTHORIZED
Untagged VLAN id: 400
Auth PAE State: Authenticated
Backend State: Idle
Restricting Multi-Supplicant Authentication
To restrict the number of devices that 802.1X can authenticate on a port in multi-supplicant (multi-auth) mode, enter the
dot1x max-supplicants number command in Interface mode. By default, the maximum number of multi-supplicant
devices is 128.
Dell(conf-if-te-2/1)# dot1x max-supplicants 4
MAC Authentication Bypass
MAC authentication bypass (MAB) enables you to provide MAC-based security by allowing only known MAC addresses within
the network using a RADIUS server.
802.1X-enabled clients can authenticate themselves using the 802.1X protocol. Other devices that do not use 802.1X — like IP
phones, printers, and IP fax machines — still need connectivity to the network. The guest VLAN provides one way to access the
network. However, placing trusted devices on the quarantined VLAN is not the best practice. MAB allows devices that have
known static MAC addresses to be authenticated using their MAC address, and places them into a VLAN different from the
VLAN in which unknown devices are placed.
For an 802.1X-incapable device, 802.1X times out if the device does not respond to the Request Identity frame. If MAB is
enabled, the port is then put into learning state and waits indefinitely until the device sends a packet. Once its MAC is learned, it
is sent for authentication to the RADIUS server (as both the username and password, in hexadecimal format without any
colons). If the server authenticates successfully, the port is dynamically assigned to a MAB VLAN using a RADIUS attribute 81,
or is assigned to the untagged VLAN of the port. Afterward, packets from any other MAC address are dropped. If authentication
fails, the authenticator waits the quiet-period and then restarts the authentication process.
MAC authentication bypass works in conjunction and in competition with the guest VLAN and authentication-fail VLAN. When
both features are enabled:
1. If authentication fails, the port it is placed into the authentication-fail VLAN.
2. If the host does not respond to the Request Identity frame, the port transitions to MAB initiation state.
3. If MAB times out or MAC authentication fails, the port is placed into the guest VLAN.
If both MAB and re-authentication are enabled, when the re-auth period finishes and whether the previous authentication was
through MAB or 802.1X, 802.1X authentication is tried first. If 802.1X times out, MAB authentication is tried. The port remains
authorized throughout the reauthentication process. Once a port is enabled/disabled through 802.1X authentication, changes to
MAB do not take effect until the MAC is asked to re-authenticate or the port status is toggled.
MAB in Single-host and Multi-Host Mode
In single-host and multi-host mode, the switch attempts to authenticate a supplicant using 802.1X. If 802.1X times out because
the supplicant does not respond to the Request Identity frame and MAB is enabled, the switch attempts to authenticate the
first MAC it learns on the port. Afterwards, for single-host mode, traffic from all other MACs is dropped; for multi-host mode, all
traffic from all other MACs is accepted.
After a port is authenticated by MAB, if the switch detects an 802.1X EAPoL start message from the authenticated MAC, the
switch re-authenticates using 802.1X first, while keeping the port authorized.
102
802.1X