Port based authentication

Question,

In the certification guide, it states that for port based authentication to work, both switch and Clients PC must support 802.1x. if only the switch is configured to use it then the port will remain in the un-authorised state and not forward traffic.

is this not incorrect as a port set up with 802.1x can still authentic a device that does not support 802.1x by its mac address using the mac address bypass feature? Or at least if not correct it is misleading.

It says you have to set up 802.1x on the client PC and the switch.

My question is, when you set up mac-address bypass, is this still considered to be 802.1x?

I thought there are 3 parts to 802.1x

the authentication server, (Radius server/local data base)
the suthenticator (switch)
the supplicant (PC)

in mac address bypass, the switch port is just taking over the role of supplicant, by in effect proxying the mac-address.

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

singh8281

In my understanding when you configure a port for 802.1x, you are telling the port to basically allow only EAPOL frames to pass through untill authenticated. so in order for client to talk to the switch the client must support 802.1x so that it can encapsulate the MAC addresss or authenticattion information in EAPOL frames.

CiskHo

Just curious where you came across the MAC address bypass info. I haven't seen anything about it in the new SWITCH book.

I would think that if the switch "bypassed" based on the host's MAC addy then it would no longer be using 802.1x. It would be more like "switchport port-security mac-address xxxxxxxx"

DevilWAH

CiskHo wrote: »

Just curious where you came across the MAC address bypass info. I haven't seen anything about it in the new SWITCH book.

Exactly its not in there. But I have set up a bit of 802.1x, in fact I am currently in the process of rolling it out across my network. The SWITCH book only tells a bit of the story.

when configuting port based security on a port you can set up a thing called mac-addess bypass. it a device connects to a port the port first waits for a EAPOL frame. if this dosent arive within a set time out. you can then tell the switch to forward the mac-address of the connecting deive to the authenting server, as username and password.

This is usefull for things like Printers and other non 802.1x devices. you just have to set up a list of the allowed mac address on you authenting server and you can then use this as a method of authentication. It is of course much less secure than a full EAPOL exhange. But you can also use portbased authentication to assign VLAN's and ACL's to a port, so mac address authentican can be usefull for seperating up non EAPOL devices and controling there security.