![](/images/new-backgrounds/1121221/121221243x1.webp)
802.1x MAC Authentication Bypass (MAB)
MAB is a supplemental authentication mechanism that allows 802.1x unaware clients, such as printers and fax machines, to authenticate to the network using the client MAC address as an identifier. The known and allowable MAC address and corresponding access rights of the client must be
MAB uses the 802.1x infrastructure, and it cannot be supported independent of the Dot1x component.
Operation in the Network
Mac Authentication Bypass (MAB) can be configured on a
•Sends a EAP Request packet to the unauthenticated client
•Waits a
•Retries – resends the EAP Request packet up to three times
•Considers the client to be dot1x unaware client (if it does not receive an EAP response packet from that client)
The authenticator sends a request to the authentication server with the MAC address of the client in 'hhhhhhhhhhhh' format as the username and the MD5 hash of the Mac address as the password. The authentication server checks its database for the authorized Mac addresses and returns an 'Access- Accept' or an
Figure 5-5 illustrates a MAB scenario for:
•No response from the unauthenticated client
•EAPOL timeout
•Access Accept based on MAC address found in database
NOTE: MAB initiates only after the dot1x guest vlan period times out. If the client responds to any of the EAPOL identity requests, MAB does not initiate for that client.
122
Device Security