Mac authentication bypass – Dell POWEREDGE M1000E User Manual

Page 764

Advertising
background image

764

802.1x Commands

Whenever an operator configures a port in Dot1x authentication mode and

selects the authentication method as internal, then the user credentials

received from the Dot1x supplicant is validated against the IDAS by Dot1x

component. The Dot1x application accesses the Dot1x user database to

check whether the user credentials present in the authentication message

corresponds to a valid user or not. If so then an event is generated which

triggers the Dot1x state machine to send a challenge to the supplicant.

Otherwise a failure is returned to the Dot1x state machine and the user is not

granted access to the port.
If user(s) credentials are changed, the existing user connection(s) are not

disturbed and the changed user(s) credentials are only used when a new EAP

request arises.
A CLI configuration mode is added in order to configure dot1x users and

their attributes. The Dot1x maintained user database can be exported

(uploaded) or imported (downloaded) to/from a central location using a

TFTP server.

MAC Authentication Bypass

Today, 802.1x has become the recommended port-based authentication

method at the access layer in enterprise networks. However, there may be

802.1x unaware devices such as printers, fax-machines etc that would require

access to the network without 802.1x authentication. MAC Authentication

Bypass (MAB) is a supplemental authentication mechanism to allow 802.1x

unaware clients to authenticate to the network. It uses the 802,1x

infrastructure and MAB cannot be supported independent of the Dot1x

component.
MAC Authentication Bypass (MAB) provides 802.1x unaware clients

controlled access to the network using the devices’ MAC address as an

identifier. This requires that the known and allowable MAC address and

corresponding access rights be pre-populated in the authentication server.

MAB only works when the port control mode of the port is MAC-based.
Port access by MAB clients is allowed if the Dot1x user database has

corresponding entries added for the MAB clients with user name and

password attributes set to the MAC address of MAB clients.

2CSPC4.XModular-SWUM200.book Page 764 Thursday, March 10, 2011 11:18 AM

Advertising
Popular Brands
Popular manuals