Users Guide

Table Of Contents
316 Authentication, Authorization, and Accounting
Retries – resends the EAP Request packet up to three times
Considers the client to be 802.1X unaware client (if it does not receive an
EAP response packet from that client)
The NAS sends a request to the authentication server with the MAC address
of the client in a hexadecimal format as the username and the MD5 hash of
the MAC address as the password. The authentication server checks its
database for the authorized MAC addresses and returns an Access-Accept or
an Access-Reject response, depending on whether the MAC address is found
in the database. If an Access-Accept is received by the NAS, an internal ACL
is applied to the port using the MAC address of the authenticated device
allowing it to access the network. Any other devices wishing to access the
network must authenticate individually. MAB also allows 802.1X-unaware
clients to be placed in a RADIUS-assigned VLAN or to apply a specific Filter
ID to the client traffic.
The following information is sent to the RADIUS authenticator for MAB
clients using EAP-MD5 authentication:
1 - User-Name MAC address of MAB device (AA:BB:CC:DD:EE:FF)
Attribute 2 is not sent if Auth type is EAP-MD5.
4 - NAS-IP-Address IP address of the switch
5 - NAS-Port switch internal port number (ifIndex)
6 - Service Type 10 (Call-Check)
12 - Framed-MTU - port/switch MTU - header length (e.g. 1500)
30 - Called Station ID MAC address of device (xx:xx:xx:xx:xx:xx format)
31 - Calling Station ID Switch MAC address
61 - NAS-Port-Type (Ethernet 15)
80 - Message Authenticator
87- NAS-Port-Id (such as Gigabitethernet 1/0/15)
79-EAP-Message
The format of the Calling-Station-ID for MAB clients may be altered using
the attribute 31 command. The format of the User-Name attribute for MAB
clients may be altered using the attribute 1 command.