mab

什么是mac authenticaiton bypass

mac authentication bypass(mab),also known as static mac authentication,users the mac address for both the username add password.

mab is the most basic form of authentication in deployments because many devices ether do not,or cannot,support 802.qx.

mab user pap/ascii or optionally eap-md5 to hash the password field.however,the radius packet is clear text and the username is the mac address.

this limitation makes mac-based authenticaiton weaker compared to other methods,but it is a good first step in device identification.

upon receiving an authentication request,the other part of the authentication policy is used to select the set of protocols that is allowed to be used when processing the request.

then,the inner part os the authenticaiton policy is used to select the identity source that is used to authenticate the request.

mab的优势与局限

benefits

device visibility

identity-based services

access control at the edge

fallback or standalone authenticaiton

device authentication

limitations

requires a mac database

delay

no user authentication

strength of authenticaiton

mab的操作

priori to mab,the identity of the endpoint is unknown and all traffic is blocked.

the switch examines a single packet to learn and authenticatte the source mac address.

after mab succeeds,the identity of the endpoint is known and all traffic from that endpoint is allowed or filtered by the interface acl or dacl.

mab认证过程介绍

802.1x---mab---guest access

3750x-sw1:

show authentication sessions int g1/0/1

创建mab用授权策略

测试

int g1/0/1

sh

no sh

show authentication sessions int g1/0/1

show ip access-lists int g1/0/1

show ip device tracking all

iser1:

ping 202.100.1.241

telnet 202.100.2.254