Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

101

102

103

104

105

106

107

108

109

110

NOTE: If the switch is in multi-host mode, a MAC address that was MAB-authenticated but later was disabled from MAB

authentication, is not denied access but moved to the guest VLAN. If the switch is in single-host mode, the MAC address is

disallowed access.

MAB in Multi-Supplicant Authentication Mode

Multi-supplicant authentication (multi-auth) mode is similar to other 802.1X modes in that the switch first attempts to

authenticate a supplicant using 802.1X. 802.1X times out if the supplicant does not respond to the Request Identity frame. Then,

if MAB authentication is enabled, the switch tries to authenticate every MAC it learns on the port, up to 128 MACs, which is the

maximum number of supplicants that 802.1X can authenticate on a single port in multi-authentication mode.

If a supplicant that has been authenticated using MAB starts to speak EAPoL, the switch re-authenticates that supplicant using

802.1X first, while keeping the MAC authorized through the re-authentication process.

Configuring MAC Authentication Bypass

To configure MAB in multi-supplicant authentication mode:

1. Configure the following attributes on a RADIUS Server:

● Attribute 1—User-name: Use the supplicant MAC address in hex format without any colons. For example, enter

10:34:AA:33:44:F8 as 1034AA3344F8.

● Attribute 2—Password: Use the supplicant MAC address, but encrypted in MD5.

● Attribute 4—NAS-IP-Address: IPv4 address of the switch that is used to communicate with the RADIUS server.

● Attribute 5—NAS -Port: The port number of the interface being authorized entered as an integer.

● Attribute 30—Called-Station-Id: MAC address of the ingress interfaces of the authenticator.

● Attribute 31—Calling-Station-Id: MAC address of the 802.1X supplicant.

● Attribute 87—NAS-Port-Id: The name of the interface being authorized entered as a string.

NOTE: Only attributes 1 and 2 are used for MAB; Attributes 30 and 31 are not mandatory in the MAB method.

2. Enter INTERFACE mode on an interface or a range of interfaces.

INTERFACE mode

interface [range]

3. Enable MAC authentication bypass.

INTERFACE mode

dot1x mac-auth-bypass

4. (Optional) Use MAB authentication only — do not use 802.1X authentication first. If MAB fails the port or the MAC address

is blocked, the port is placed in the guest VLAN (if configured). 802.1x authentication is not even attempted. Re-

authentication is performed using 802.1X timers.

INTERFACE mode

dot1x mac-auth mab-only

Verify the MAB and 802.1X configuration using the show dot1x interface command from EXEC Privilege mode.

The bold text shows that MAB is enabled on the interface.

Dell#show dot1x interface Te 0/0

802.1X information on Te 0/0:

----------------------------

Dot1x Status: Enable

Port Control: AUTO

Port Auth Status: AUTHORIZED(MAC-AUTH-BYPASS)

Re-Authentication: Disable

Untagged VLAN id: 200

Guest VLAN: Disable

Guest VLAN id: NONE

Auth-Fail VLAN: Disable

Auth-Fail VLAN id: NONE

Auth-Fail Max-Attempts: NONE

Critical VLAN: Disable

802.1X

103