Loader

Download the PDF 

Using MAC Authentication Bypass

Document Number

ENG-010469

Introduction

The SR29 release introduced the MAC Authentication Bypass feature.  This document will describe MAC Authentication Bypass, how to use it, and how to configure it. 

Applies To

The Application Note applies to all 1134, 1150, and 1131 OLTs and ONTs.

MAC Authentication Bypass Described

 

Many Enterprise and other secure installations use the 802.1x Port Authentication feature to control access to the Ethernet ports within a facility.  The 802.1x protocol forces a user to authenticate using their credentials prior to gaining access to a port.  The user is typically authenticated to some backend system such as RADIUS.  

For many intelligent devices that support 802.1x this works well to secure the ports for use only by authorized parties.  The problem is that there are simple devices such as printers and cameras that may not support 802.1x and backend authorization.  In order to handle these use cases, the feature of MAC Authentication Bypass or MAB uses the MAC address of the attached device to authenticate to the backend AAA server, typically RADIUS.

It should be noted that due to the fact that MACs can be easily spoofed by most PCs and other devices, MAB is a weak authentication protocol and, as such, should be paired with ACLs, firewall rules, and other mechanisms to ensure that proper security is maintained within the network.

The SR29 release adds the capability to perform MAB to the system.  The following section will describe how to configure MAB within the system.

Configuring MAB

Configuring MAB is very similar to configuring 802.1x PAE and the document ENG-010428 Configuring Policy via RADIUS Authentication should be consulted as it covers many relevant subjects to MAB authentication.

The high-level steps to enable MAB are as follows:

  • Set up VLANs to be Default Deny VLANs - This ensures that all traffic is dropped unless MAB authentication enables passing traffic for that MAC.
  • Set VLANs to be Dynamic - Allows the use of NAC profiles.
  • Create NAC Profile - Create a NAC profile and add service profiles for all possible types of devices for that port.  Filter-ID responses from RADIUS must refer to a Service Profile already associated with the port via the NAC profile.
  • Create Service Profiles - Service profiles must be created to define what service should be configured on the port when the Service Profile is contained in the Filter-ID response of a RADIUS Access Accept for a MAB authentication.

First, the VLAN utilizing MAB is typically set up to be a default Deny VLAN.  Either Extended Default Deny or Basic Default Deny can be used; Extended allows more complex filters.  This is required to prevent unauthorized MAB clients from gaining access to the VLAN without first authenticating.  The VLAN must be set up to be Dynamic to allow the use of NAC profiles.

 

A NAC profile will define the list of allowed Service Profiles on the port.  RADIUS must return the one selected, or a matching prefix in the FILTER-ID response.  More details on this interface are included in the document E-010428 Configuring Policy via Radius Authentication.

 

To enable MAB you need to change the following settings in the NAC profile:

  • MAC-BYPASS - Should be set to enabled to turn on MAC Bypass.
  • Startup Delay - Defaults to 30 seconds to give standard 802.1x time to complete prior to MAB being attempted.  Always best to let 802.1x be attempted first, but some devices may need a shorter timer to speed up access to the network.
  • Authentication Method - Set to PAP if your Radius server is set up to accept PAP.

PAE-AUTH - PAE-AUTH needs to be enabled to trigger the authorization to Radius.

  • Filter ID - Enabling this implies that the service profile will be defined in the Radius Filter ID attribute coming back to the OLT from RADIUS.  This allows the service profile to be dynamically assigned based on the Radius group or user that is configured in RADIUS.  The service profile MUST include an ACL profile with Authorized MACs to ensure that the MAB client is permitted access to the VLAN once it is authorized.
  • Maximum Managed MACs - The maximum number of authorized clients per port.  . (NAC Profile Maximum Managed MACs = = PAE Profile’s Maximum Authorized Supplicants = = PAE-AUTH Filter ID Service Profile’s ACL Profile Max MAC(s)).

The PAE profile can use the default settings with the exception of enabling the AdminState as shown below:

 

 

The user should create an Authorized MACs Permit filter so that the MAC once authorized, will be allowed onto the network.

 

 

Mixing of 802.1x and MAB

MAB and 802.1x can both be configured onto the port.  The default settings will allow 802.1x to be tried first, followed by an attempt with MAB using the device’s MAC address.  An entire site can be configured this way to allow the 802.1x or MAB devices to be plugged into any port on the OLT.  This can also be used, for example, to authenticate phones that don’t support 802.1x but force PCs to authenticate.

It should be noted that if multiple devices are attempting to access the same port the 802.1x supplicants will ALWAYs be given preference over MAB clients.

Given the ease of MAC spoofing, it is best to only enable MAB on ports that require it.

Video

FEEDBACK: Are you happy with this material?
  •   © 2025 Tellabs Access, LLC. All rights reserved - A Better Way to Build and Operate Networks.

On this page

light-box Image