122 Device Security
802.1x MAC Authentication Bypass (MAB)
MAB is a supplemental authentication mechanism that allows 802.1x unaware clients, such as printers
and fax machines, to authenticate to the network using the client MAC address as an identifier. The
known and allowable MAC address and corresponding access rights of the client must be pre-populated
in the authentication server. MAB only works when the port control mode of the port is mac-based.
MAB uses the 802.1x infrastructure, and it cannot be supported independent of the Dot1x component.
Operation in the Network
Mac Authentication Bypass (MAB) can be configured on a per–port basis. When a port configured for
MAB receives traffic from an unauthenticated client, the switch (Authenticator):
• Sends a EAP Request packet to the unauthenticated client
• Waits a pre-determined period of time for a response
• Retries – resends the EAP Request packet up to three times
• Considers the client to be dot1x unaware client (if it does not receive an EAP response packet from
that client)
The authenticator sends a request to the authentication server with the MAC address of the client in
'hhhhhhhhhhhh' format as the username and the MD5 hash of the Mac address as the password. The
authentication server checks its database for the authorized Mac addresses and returns an 'Access-
Accept' or an 'Access-Reject' (depending on whether the Mac address is found in the database). This also
allows dot1x unaware clients to be placed in a RADIUS assigned VLAN or apply a specific Filter ID to
the client traffic.
Figure 5-5 illustrates a MAB scenario for:
• No response from the unauthenticated client
•EAPOL timeout
• Access Accept based on MAC address found in database
NOTE: MAB initiates only after the dot1x guest vlan period times out. If the client responds to any of the EAPOL
identity requests, MAB does not initiate for that client.