Dell POWEREDGE M1000E User Manual

512

Configuring 802.1X and Port-Based Security

If a port uses MAC-based 802.1X authentication, the option to use MAC

Authentication Bypass (MAB) is available. MAB is a supplemental

authentication mechanism that allows 802.1X unaware clients, such as

printers and fax machines, to authenticate to the network using the client

MAC address as an identifier. The known and allowable MAC address and

corresponding access rights of the client must be pre-populated in the

authentication server.
When a port configured for MAB receives traffic from an unauthenticated

client, the switch (Authenticator):

• Sends a EAP Request packet to the unauthenticated client
• Waits a pre-determined period of time for a response
• Retries – resends the EAP Request packet up to three times
• Considers the client to be 802.1X unaware client (if it does not receive an

EAP response packet from that client)

The authenticator sends a request to the authentication server with the MAC

address of the client in a hexadecimal format as the username and the MD5

hash of the MAC address as the password. The authentication server checks

its database for the authorized MAC addresses and returns an Access-Accept

or an Access-Reject response, depending on whether the MAC address is

found in the database. MAB also allows 802.1X-unaware clients to be placed

in a RADIUS-assigned VLAN or to apply a specific Filter ID to the client

traffic.

NOTE:

MAB initiates only after the dot1x guest VLAN period times out. If the

client responds to any of the EAPOL identity requests, MAB does not initiate for

that client.