MAB Operation
As adumbrated in above-mentioned sections for 802.1X deployments, abandoned EAPOL ascendancy frames
are about candy by about-face ports while 802.1X is maintained in an operating and
active state. However, this additionally agency that MAC addresses from any bend accessory adeptness not
be accepted until EAPOL frames are candy from it. These are the aegis allowances of
802.1X, and they do not change in any way with account to any MAB implementation.
Because it is noteworthy to this discussion, spanning timberline is not alike in a forwarding state
on the anchorage until it is accustomed through 802.1X.
There is no adverse adequacy for the Guest-VLAN. If the applicant on the wire cannot
speak 802.1X, the Guest-VLAN is enabled. Any accessory deployed into a Guest-VLAN
might be a apparatus on the arrangement that an ambassador does not charge or appetite to be placed
in a Guest-VLAN. Hence, the adeptness to apply differentiated casework based on the MAC
294 Chapter 17: Identity-Based Networking Casework with 802.1X
address abandoned is advantageous for identification purposes. Upstream, the Guest-VLAN
might additionally abandoned accept acceptance to bound resources, as authentic by the arrangement administrator.
Prior to MAB, a MAC abode adeptness abandoned be accepted to a about-face anchorage afterwards the anchorage is enabled
and placed into a Guest-VLAN. Also, afterwards a anchorage is enabled and placed into a Guest-
VLAN, no affidavit (other than EAPOL acceptance by a supplicant) takes abode on the
port directly, and the arrangement can apprentice any cardinal of MAC addresses on the anchorage by default
(which inherently does not accommodate security). Hence, there are limitations in attempting to
use the Guest-VLAN abstraction as a band-aid to accommodate acceptance for any managed non-802.1X
devices in the ambience of IBNS.
So, what is bare is a way to amend a about-face CAM table with a (single) MAC address
while not circumventing the bulk added from a port-based 802.1X band-aid to activate with.
MAB makes an accomplishment to advantage agnate efforts that are already activated to other
authentication schemes or mechanisms (802.1X/EAP). This makes deployments easier for
you to arrange and understand. MAB provides this controlled acceptance to accessories based on
their MAC address. MAB should acquiesce non-802.1X adjustable end accessories to be governed
by controlled acceptance to the arrangement in a cellophane abode application a prepopulated database
technique. The claim for enabling acceptance for audience that do not abutment 802.1X
supplicant functionality is applicative to IBNS, area a charge exists to accredit arrangement access
for all clients. It is analytical to IBNS for MAB to advantage activating action assignment. MAB
allows end users to accredit (without any supplied credentials). MAB is not advised to
directly accommodate a MAC abode acquirements capability, in abundant the aforementioned way, that 802.1X
does not anon accommodate a credential acquirements mechanism. It is to be provided alone as a
means of affidavit and enforcement. Although MAB requires some anatomy of a
provisioning process, the declared functionality is absolute of any absolute processes.
Alone, this action assumes MAC addresses are already known. MAB should afresh allow
clients that cannot/do not abutment 802.1X the all-important functionality to accommodate into an
IBNS strategy. Like 802.1X, MAB is advised for the acceptance band and to abode the need
for network-edge affidavit agnate in attributes and allowances to the functionality provided
by the IEEE 802.1X framework (without the claim for client-side code).
Much like the Guest-VLAN, MAB operates based on an 802.1X abeyance condition. After
a about-face anchorage can ascertain that an 802.1X supplicant is not present on the port, it avalanche back
to blockage the MAC abode (which is an affidavit abode of bottom security).
After timing out 802.1X on the port, a about-face can apprentice a MAC abode through classic
MAC acquirements techniques. Afterwards a MAC abode is learned, it is accurate in abundant the
same way an 802.1X supplicant would be authenticated. RADIUS is acclimated as an AAA
protocol for acceptance criteria, and the about-face acts as a proxy. Figure 17-7 illustrates a
complete operational breeze of MAB.
Working with Accessories Incapable of 802.1X 295
Figure 17-7 MAB Operation
As Figure 17-7 illustrates, MAB abandoned initiates afterwards an 802.1X timeout. MAB afresh requires
a capricious bulk of time for the end base to attack to accelerate cartage into the arrangement for
the MAC to be abstruse by the switch. Afterwards this occurs, RADIUS is accomplished to the backend,
asking if the MAC should be accustomed arrangement access.
After a host/device fails to accumulation 802.1X affidavit credentials, the network-access
device takes the abstruse MAC abode and easily it off to the affidavit server as both
the username and password. If the host/device fails to accredit at this level, a user can
optionally be placed into a agreed Guest-VLAN and, at this time, other
authentication methods can be attempted. Alternatively, the Guest-VLAN can be acclimated as a
means to abutment a accessories action of MAC abode through scanning techniques or
captive aperture techniques, if end users are applicative to the accessories gluttonous to be
authenticated. Ultimately, if the host/device passes with MAB credentials, the user can then
be placed into the configured VLAN and admission an IP abode to activate its desired
functions. Operationally, MAB abundantly relies on an 802.1X abeyance condition; this timeout
is configurable. See the section, “802.1X Guest-VLAN Timing,” for abeyance specifics.
Optionally, activating action can be downloaded from RADIUS the aforementioned way this can be
achieved with 802.1X in the anatomy of VLAN assignment. This allows for consistent
processing of affidavit appearance to be activated in a constant manner. Activating policy
downloaded from an affidavit server includes any adequacy currently accessible with
802.1X on the acceptance about-face in catechism (such as per-user ACLs, VLAN assignment, and
so on). Also, the authority of the accustomed affair is activated on the about-face in abundant the
same way it is activated with 802.1X. This administration is accomplished by akin the traffic
Client
EAPOL-Request (Identity)
D = 01.80.c2.00.00.03
EAPOL-Request (Identity)
D = 01.80.c2.00.00.03
EAPOL-Request (Identity)
D = 01.80.c2.00.00.03
EAPOL-Timeout
Initiate MAB
Learn MAC Variable
Port Enabled
RADIUS-Access
Request
RADIUS-Access
Accept
30 Seconds
30 Seconds
30 Seconds
Upon Linkup
Dot1x/MAB RADIUS
00.0a.95.7f.de.06
??
1
2
3
4
5
6
8
7
296 Chapter 17: Identity-Based Networking Casework with 802.1X
originating on the accurate anchorage to appear from abandoned the accustomed MAC address. With
MAB, by default, abandoned one host can be accurate and bound bottomward per port. Any new
MAC abode that is apparent to attack to canyon cartage on a anchorage is advised as a aegis violation.
Like 802.1X, MAB is a port-based feature; it is appropriate to be discretely enabled on ports.
The afterward represents specific anchorage configurations with MAB added:
interface FastEthernet0/1
switchport acceptance vlan 2
switchport approach access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
MAB activates back 802.1X times out cat-and-mouse for an EAPOL packet on the wire. The
802.1X accompaniment apparatus enters a cat-and-mouse accompaniment and relinquishes ascendancy over to MAB to begin
device allotment aloft this abeyance occurring. MAB runs irenic and does not
transmit any packets to ascertain devices. Again, the albatross lies with the attached
device to accelerate traffic. If a accessory sends no traffic, technically, a anchorage could be alert for
packets always afterwards MAB activates. Back packets admission on a anchorage area MAB is active,
this after-effects in the about-face forwarding packets to the CPU. The antecedent MAC abode is
gleaned off the packet and forwarded to the MAB action for authentication. The trigger
packet itself is bare for affair accompaniment creation. Any time MAB activates, if an EAPOL
packet is detected on the wire (such as an EAPOL-Start from an 802.1X supplicant),
802.1X never relinquishes ascendancy over to MAB. The history of EAPOL packets apparent on the
wire is maintained as continued as the anchorage is physically connected. This history is absent aloft a
physical articulation change, because the accompaniment apparatus for both technologies is anon codicillary on
link state.
After MAB activates, a anchorage is about in an crooked accompaniment (because 802.1X times
out). So, while cat-and-mouse for a packet to accumulate a MAC address, if an EAPOL packet is
detected, MAB deactivates and relinquishes complete ascendancy to 802.1X. 802.1X then
attempts to accredit the port. From afresh on, MAB never activates as continued as the articulation is
never absent on the port.
In some cases, MAB adeptness accept accustomed a anchorage already, and 802.1X is afresh apparent on the
wire. An archetype of this adeptness be a acknowledged MAB attack afore 802.1X has started on
the applicant (such as back timers are tweaked for aboriginal timeout), or MAB actuality accomplished in
an accomplishment to abetment the end base in downloading 802.1X-supplicant software. Typically, in
this condition, the MAC addresses from both contest match. However, if a anchorage is authorized
with MAC abode A, and an EAPOL packet arrives with a antecedent MAC abode of B, this
triggers a aegis abuse by the switch.
The Guest-VLAN additionally serves as a abortion action for MAB if configured on the aforementioned port
as MAB. Else, the abortion action for MAB is to always try and 802.1X authenticate
the anchorage again. Today, for Cisco IOS-based switches, this is primarily acquired by a MAB
failure absolutely causing the anchorage to go into the abortion state, aloof like back an 802.1X
supplicant fails authentication. So, afterwards 802.1X is attempted again, times out again, MAB
Working with Accessories Incapable of 802.1X 297
is attempted again. However, because the Guest-VLAN can serve as the abortion belief for
MAB if it’s configured forth with MAB, this adeptness accommodate systemic value. An archetype of
the bulk it could accommodate is for MAB and the Guest-VLAN to alongside accommodate a means
to accouterment accreditation in an character abundance for MAC addresses that adeptness not be accepted in
advance to a network. Figure 17-8 depicts this operation.
Figure 17-8 802.1X, MAB, and Guest-VLAN Interaction
The operational attributes of this affection alternation was advised primarily as allotment of MAB to
support backward-compatibility for accessories that cannot allege 802.1X and accept deployed
the Guest-VLAN.
NOTE If a anchorage is initially configured for 802.1X with Guest-VLAN, and the anchorage activates in
Guest-VLAN, it charcoal there alike admitting a arrangement ambassador enables MAB. The
port articulation cachet charge be flapped to initialize the 802.1X accompaniment machine.
In summary, MAB functions as a port-based feature. It is primarily acclimated as a fallback
mechanism to 802.1X. Like 802.1X, there is no de facto adeptness to abutment added than one
MAC per port. A MAB anchorage can be optionally enabled for multihost mode, aloof like it is
done with 802.1X. MAB cannot be acclimated as a agency to accord with bootless 802.1X
authentication attempts. MAB provides added options if you accept bought into anchorage security
802.1X
Enabled?
MAC-Auth
Enabled?
Guest-
VLAN
Enabled?
MAC-Auth
Time Out?
802.1X
Time Out?
Initiate
Auth
Auth
Succeed?
Auth
Succeed?
Authz
Port
Deny
Access
Initiate
Y Y Y Auth
N
N Y
N
N
N N
N Y
Y
Y
Y
298 Chapter 17: Identity-Based Networking Casework with 802.1X
with configured MAC addresses. These options accommodate the advance of mobility, dynamic
downloading of policy, and so on. MAB provides a clearing aisle from legacy
technologies, such as VMPS. MAB additionally works with any accepted RADIUS server (with a
default abeyance of 30 abnormal with three retries). This agency that the absolute abeyance period
is at atomic 90 abnormal by default, which is the aforementioned minimum absence abeyance of the Guest-
VLAN. A accessory charge additionally accelerate cartage into a about-face for the MAC to be abstruse afterwards the
802.1X timeout. If MAB fails, arrangement acceptance is around denied. If MAB fails and the
Guest-VLAN is additionally configured, the Guest-VLAN is enabled (for backward-compatibility).
MAB does not alarm for a accessories mechanism, although the Guest-VLAN can abetment in
this process.