Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S6100-ON

100

Critical VLAN: Disable

Critical VLAN id: NONE

Mac-Auth-Bypass: Disable

Mac-Auth-Bypass Only: Disable

Static-MAB: Disable

Static-MAB Profile: NONE

Tx Period: 30 seconds

Quiet Period: 60 seconds

ReAuth Max: 2

Supplicant Timeout: 30 seconds

Server Timeout: 30 seconds

Re-Auth Interval: 3600 seconds

Max-EAP-Req: 2

Host Mode: MULTI_AUTH

Max-Supplicants: 128

Port status and State info for Supplicant: 7a:d9:d9:7d:00:00

Port Auth Status: AUTHORIZED

Untagged VLAN id: 400

Auth PAE State: Authenticated

Backend State: Idle

Port status and State info for Supplicant: 7a:d9:d9:7d:00:01

Port Auth Status: AUTHORIZED

Untagged VLAN id: 400

Auth PAE State: Authenticated

Backend State: Idle

Restricting Multi-Supplicant Authentication

To restrict the number of devices that 802.1X can authenticate on a port in multi-supplicant (multi-auth) mode, enter the dot1x max-

supplicants number command in Interface mode. By default, the maximum number of multi-supplicant devices is 128.

Dell(conf-if-te-2/1)# dot1x max-supplicants 4

MAC Authentication Bypass

MAC authentication bypass (MAB) enables you to provide MAC-based security by allowing only known MAC addresses within the network

using a RADIUS server.

802.1X-enabled clients can authenticate themselves using the 802.1X protocol. Other devices that do not use 802.1X — like IP phones,

printers, and IP fax machines — still need connectivity to the network. The guest VLAN provides one way to access the network.

However, placing trusted devices on the quarantined VLAN is not the best practice. MAB allows devices that have known static MAC

addresses to be authenticated using their MAC address, and places them into a VLAN dierent from the VLAN in which unknown devices

are placed.

For an 802.1X-incapable device, 802.1X times out if the device does not respond to the Request Identity frame. If MAB is enabled, the port

is then put into learning state and waits indenitely until the device sends a packet. Once its MAC is learned, it is sent for authentication to

the RADIUS server (as both the username and password, in hexadecimal format without any colons). If the server authenticates

successfully, the port is dynamically assigned to a MAB VLAN using a RADIUS attribute 81, or is assigned to the untagged VLAN of the

port. Afterward, packets from any other MAC address are dropped. If authentication fails, the authenticator waits the quiet-period and then

restarts the authentication process.

MAC authentication bypass works in conjunction and in competition with the guest VLAN and authentication-fail VLAN. When both

features are enabled:

1 If authentication fails, the port it is placed into the authentication-fail VLAN.

2 If the host does not respond to the Request Identity frame, the port transitions to MAB initiation state.

802.1X