OcNOS SP : Layer 2 Guide : Layer 2 Configuration Guide : MAC Authentication Bypass
MAC Authentication Bypass
MAC Authentication Bypass (MAB) is used for a non-authenticating device (a device without an 802.1X supplicant running on it) connecting to a network with 802.1X enabled. Since there is no supplicant to answer the EAP identity requests from the authenticator (switch, wireless controller, etc.) the authenticator will generate the authentication request for the endpoint using the endpoint's MAC address as the username/password for the Access-Request message.
Note: Multicast address is not accepted for host address of radius-server.
Topology
MAB Topology
Configuration
Switch Configuration for MAC Authentication Bypass (MAB)
 
Switch#configure terminal
Enter configure mode
Switch(config)#bridge 1 protocol ieee vlan-bridge
Create bridge 1
OcNOS(config)#commit
Commit candidate configuration to be running configuration
Switch(config)#port-security disable
Disable port security
Switch(config)#dot1x system-auth-ctrl
Enable dot1x authentication globally
Switch(config)#auth-mac system-auth-ctrl
Enable MAC authentication bypass globally
Switch(config)#radius-server dot1x host 10.1.1.1 key 0 testing123
Specify the host IP and key with string name between radius server and client.
Switch(config)#commit
Commit transaction
Switch(config)#interface xe0
Configure interface xe0
Switch(config-if)#switchport
Enable switch port on interface.
Switch(config-if)#bridge-group 1
Associate bridge to an interface.
Switch(config-if)#switchport mode access
Configure port as access
Switch(config-if)#dot1x port-control auto
Enable authentication (via Radius) on port (xe0)
Switch(config-if)#dot1x mac-auth-bypass enable
Enable MAC authentication bypass on interface
OcNOS(config)#commit
Commit candidate configuration to be running configuration
Switch(config)#interface xe9
Configure interface xe9
Switch(config-if)#ip address 10.1.1.2/24
Set the IP address on interface xe9
Switch(config-if)#commit
Commit transaction
Switch(config-if)#end
Exit config mode.
Validation
Verify MAB on Switch
Switch#show mab all
Global MAC Authentication Enabled
RADIUS server address: 10.1.1.1:1812
Next radius message id: 4
RADIUS client address: not configured
 
MAB info for interface xe0
Dot1x timer: Expired
MAB Authentication Enabled
Supplicant name: 00:07:E9:A5:3D:FA
Status: MAC Authorized
Last rejected MAC:
Configuration
MAC Authentication Configuration
 
Switch#configure terminal
Enter configure mode
Switch(config)#bridge 1 protocol ieee vlan-bridge
Create bridge 1
Switch(config)#port-security disable
Disable port security
Switch(config)#dot1x system-auth-ctrl
Enable dot1x authentication globally
Switch(config)#auth-mac system-auth-ctrl
Enable MAC authentication bypass globally
Switch(config)#radius-server dot1x host 10.1.1.1 key 0 testing123
Specify the host IP and key with string name between radius server and client.
Switch(config)#commit
Commit transaction
Switch(config)#interface xe0
Configure interface xe0
Switch(config-if)#switchport
Enable switch port on interface.
Switch(config-if)#bridge-group 1
Associate bridge to an interface.
Switch(config-if)#switchport mode access
Configure port as access
Switch(config-if)#auth-mac enable
Enable MAC authentication on interface
OcNOS(config)#commit
Commit candidate configuration to be running configuration
Switch(config)#interface xe9
Configure interface xe9
Switch(config-if)#ip address 10.1.1.2/24
Set the IP address on interface xe9
Switch(config-if)#commit
Commit transaction
Switch(config-if)#end
Exit config mode.
Note: When AUTH-MAC is enabled on the interface MAC-AUTH bypass cannot be enabled and vice-versa.
Validation
 
Verify MAB on Switch
Switch#show mab all
Global MAC Authentication Enabled
RADIUS server address: 10.1.1.1:1812
Next radius message id: 9
RADIUS client address: not configured
 
MAB info for interface xe0
Dot1x timer: Expired
MAB Authentication Disabled
Supplicant name: 00:07:E9:A5:3D:FA
Status: MAC Authorized
Last rejected MAC: 00:07:E9:A5:4E:25