MAC Authentication Bypass (MAB)

Securing your switch ports is very important for network security. There are various port security mechanism and one of them is 802.1x Authentication. But sometimes, we can not use this authentication method if the device does not support 802.1x Authentication. At this time, instead of 802.1x Authentication, we can use an alternative authentication method, MAC Authentication Bypass (MAB). In this lesson, we will focus on MAC Authentication Bypass (MAB), we will learn what is MAB and how we use this authentication method.



What is MAC Authentication Bypass (MAB)?

MAC Authentication Bypass (MAB) is an authentication method used for switch port security. In other words, MAB secures your switch ports. MAB does this with a basic MAC Authentication. It checks the MAC address of the incoming packet and then sends it to the authentication server. If this MAC address is in the allow list, switch allows the other packets to enter the port.


As we have talked about above, we can use MAC Authentication Bypass (MAB) as an alternative security mechanism instead of 802.1x Port Based Authentication. But MAB is not an enough secure authentication mechanism. Because, it checks only MAC addresses of the packets and MAC addresses can easily manipulated or spoofed by a malicious device. Even this, MAC Authentication Bypass (MAB) is used as a backup mechanism of 802.1x Port Based Authentication.


Now, let’s explain MAB mechanism detailly.



You can also check Cisco Packet Tracer Configuration Examples and Cisco GNS3 Examples


How MAB Works?

We have learned what is MAB, MAC Authentication Bypass. Now, let’s learn how MAB works? How is its mechanism.


When a device is connected to a port on which, MAB is enabled, the first packet is accepted. With this packet, switch learns the MAC address of the packet. The other packets are not accepted on this port for now.


Then, switch sends the MAC address to the connected authentication server. On this server, this MAC address is checked if it is in the allowed list or in restricted list.


If this MAC address is in allowed list, authentication server informs the switch. After this step, switch allows the traffic coming from this port.



MAB Authentication Steps

There are different steps in MAB Authentication. These MAB Authentication steps are given below:

  • Initiation
  • MAC Authentication
  • Authorization


In the initiation step, the determination of using MAB Authentication is done. As we have talked about above, MAB is used a backup mechanism instead of 802.1x Authentication. In this step, an unsuccessful 802.1x attempt is waited until 802.1x timeout.


Here, switch sends EAPoL identity requests every 30 seconds tom the endpoint. If endpoint supports 802.1x authentication, it replies. But if it does not support this authentication method, then it does not. After three attempt (90 seconds), 802.1x timout occurs. And the switch determines an alternative authentication method, MAC Authentication Bypass (MAB).


After that MAB Authentication goes to the second step, to MAC Authentication step. Here, switch accepts the first packet to learn the MAC address of the packet. And then, it sends a RADIUS Access-Request to the Authentication Server.  After receiving this RADIUS Access-Request, Authentication server proceed to MAC Authentication.


At last step, at Authorization step, Authentication Server determines to allow or prevent this traffic according to the allowed MAC address table. It sends RADIUS Access-Accept message to the switch. After that, the traffic coming from this port is allowed on the switch.



MAC Authentication Bypass Modes

By the way, by default, we can connect only one device to a MAB enabled port on a switch. But we can change this with an extra configuration, if we have one more device connected to this single port.


There are four different MAB Modes that we can set. These are given below:

  • Single-host
  • Multi-domain authentication host
  • Multi-authentication host
  • Multi-host


Single-host mode is the default mode of MAB. When we use this mode, we can connect only one device on a port. If one more device is detected, then this causes a security violation.


Multi-domain authentication host mode is used with IP Phones and PCs. If you use these two service behind your port, at this time, Multi-domain authentication host mode can be a good choice for you. But if any other service is connected to this port, again security violation mode occurs.


Multi-authentication host mode is the mode used with multiple switches. When you connect one switch to another switch, there are multiple MAC addresses. Ath this time, this mode is the required MAB mode.


Multi-host mode is the mode with which, only the first MAC address is authenticated. The other MAC addresses are automatically permitted.


Before, there was VLAN Management Policy Server (VMPS) with which, again, MAC addresses are checked from a database.



Back to: CCNP Enterprise 350-401 ENCOR > Network Security Design

Leave a Reply

Your email address will not be published. Required fields are marked *

CCNP Enterprise 350-401 ENCOR