MAC Authentication Bypass
MAC Authentication Bypass (MAB) is used for a non-authenticating device (a device without an 802.1X supplicant running on it) connecting to a network with 802.1X enabled. Since there is no supplicant to answer the EAP identity requests from the authenticator (switch, wireless controller, etc.) the authenticator will generate the authentication request for the endpoint using the endpoint's MAC address as the username/password for the Access-Request message.
Note: Multicast address is not accepted for host address of radius-server.
Topology
MAB Topology
Configuration
Switch Configuration for MAC Authentication Bypass (MAB)
Switch#configure terminal | Enter configure mode |
Switch(config)#bridge 1 protocol ieee vlan-bridge | Create bridge 1 |
OcNOS(config)#commit | Commit candidate configuration to be running configuration |
Switch(config)#port-security disable | Disable port security |
Switch(config)#dot1x system-auth-ctrl | Enable dot1x authentication globally |
Switch(config)#auth-mac system-auth-ctrl | Enable MAC authentication bypass globally |
Switch(config)#radius-server dot1x host 10.1.1.1 key 0 testing123 | Specify the host IP and key with string name between radius server and client. |
Switch(config)#commit | Commit transaction |
Switch(config)#interface xe0 | Configure interface xe0 |
Switch(config-if)#switchport | Enable switch port on interface. |
Switch(config-if)#bridge-group 1 | Associate bridge to an interface. |
Switch(config-if)#switchport mode access | Configure port as access |
Switch(config-if)#dot1x port-control auto | Enable authentication (via Radius) on port (xe0) |
Switch(config-if)#dot1x mac-auth-bypass enable | Enable MAC authentication bypass on interface |
OcNOS(config)#commit | Commit candidate configuration to be running configuration |
Switch(config)#interface xe9 | Configure interface xe9 |
Switch(config-if)#ip address 10.1.1.2/24 | Set the IP address on interface xe9 |
Switch(config-if)#commit | Commit transaction |
Switch(config-if)#end | Exit config mode. |
Validation
Verify MAB on Switch
Switch#show mab all
Global MAC Authentication Enabled
RADIUS server address: 10.1.1.1:1812
Next radius message id: 4
RADIUS client address: not configured
MAB info for interface xe0
Dot1x timer: Expired
MAB Authentication Enabled
Supplicant name: 00:07:E9:A5:3D:FA
Status: MAC Authorized
Last rejected MAC:
Configuration
MAC Authentication Configuration
Switch#configure terminal | Enter configure mode |
Switch(config)#bridge 1 protocol ieee vlan-bridge | Create bridge 1 |
Switch(config)#port-security disable | Disable port security |
Switch(config)#dot1x system-auth-ctrl | Enable dot1x authentication globally |
Switch(config)#auth-mac system-auth-ctrl | Enable MAC authentication bypass globally |
Switch(config)#radius-server dot1x host 10.1.1.1 key 0 testing123 | Specify the host IP and key with string name between radius server and client. |
Switch(config)#commit | Commit transaction |
Switch(config)#interface xe0 | Configure interface xe0 |
Switch(config-if)#switchport | Enable switch port on interface. |
Switch(config-if)#bridge-group 1 | Associate bridge to an interface. |
Switch(config-if)#switchport mode access | Configure port as access |
Switch(config-if)#auth-mac enable | Enable MAC authentication on interface |
OcNOS(config)#commit | Commit candidate configuration to be running configuration |
Switch(config)#interface xe9 | Configure interface xe9 |
Switch(config-if)#ip address 10.1.1.2/24 | Set the IP address on interface xe9 |
Switch(config-if)#commit | Commit transaction |
Switch(config-if)#end | Exit config mode. |
Note: When AUTH-MAC is enabled on the interface MAC-AUTH bypass cannot be enabled and vice-versa.
Validation
Verify MAB on Switch
Switch#show mab all
Global MAC Authentication Enabled
RADIUS server address: 10.1.1.1:1812
Next radius message id: 9
RADIUS client address: not configured
MAB info for interface xe0
Dot1x timer: Expired
MAB Authentication Disabled
Supplicant name: 00:07:E9:A5:3D:FA
Status: MAC Authorized
Last rejected MAC: 00:07:E9:A5:4E:25