MAC Authentication Bypass is an access control technique that enables port-based access control using the MAC address of the endpoint, it is used as a fallback mechanism to 802.1x
Process
The switch initiates authentication by sending a EAPoL identity request message to the endpoint every 30 seconds by default. After three timeouts the switch will determine that the endpoint does not have a supplicant and will try to authenticate it with MAC Authentication Bypass.
The switch will begin MAC Authentication Bypass by accepting a single packet from the endpoint device; it will be able to learn the devices MAC address this way.
Once the MAC address has been learned, the packet will be discarded but the switch will craft a RADIUS access-request message using the endpoints MAC address as the identity.
The RADIUS server receives this request and will perform MAC authentication.
The RADIUS server will determine whether the device should be granted access or not. If access to be granted, it will determine what level of access to grant and send back a access-accept to the authenticator. It can include options to restrict the endpoint such as dACLs, dVLANs and SGT tags.
As MAC addresses can be easily spoofed, MAC authentication endpoints should be given very limited access and should only be given access to only the network and services that it is essential to the device to work.
Leave a Reply