Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N1500 Series
331332333334335336337338339340
Authentication, Authorization, and Accounting 337
If a port uses MAC-based 802.1X authentication, the option to use MAC
Authentication Bypass (MAB) is available. MAB is a supplemental
authentication mechanism that allows 802.1X unaware clients – such as
printers, fax machines, and some IP phones — to authenticate to the network
using the client MAC address as an identifier.
The known and allowable MAC address and corresponding access rights of
the client must be pre-populated in the authentication server. Both MAB and
MAC-based authentications are supported on a port simultaneously.
When a port configured for MAB receives traffic from an unauthenticated
client, the switch (Network Authentication Server or NAS):
Sends a EAP Request packet to the unauthenticated client
Waits a pre-determined period of time for a response
Retries – resends the EAP Request packet up to three times
Considers the client to be 802.1X unaware client (if it does not receive an
EAP response packet from that client)
The NAS sends a request to the authentication server with the MAC address
of the client in a hexadecimal format as the username and the MD5 hash of
the MAC address as the password. The authentication server checks its
database for the authorized MAC addresses and returns an Access-Accept or
an Access-Reject response, depending on whether the MAC address is found
in the database. If an Access-Accept is received by the NAS, an internal ACL
is applied to the port using the MAC address of the authenticated device
allowing it to access the network. Any other devices wishing to access the
network must authenticate individually. MAB also allows 802.1X-unaware
clients to be placed in a RADIUS-assigned VLAN or to apply a specific Filter
ID to the client traffic.
The following information is sent to the RADIUS authenticator for MAB
clients using EAP-MD5 authentication:
1 - User-Name MAC address of MAB device (AA:BB:CC:DD:EE:FF)
Attribute 2 is not sent if Auth type is EAP-MD5.
4 - NAS-IP-Address IP address of the switch
5 - NAS-Port switch internal port number (ifIndex)
6 - Service Type 10 (Call-Check)
12 - Framed-MTU - port/switch MTU - header length (e.g. 1500)