41-3
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 41 Configuring MAC Authentication Bypass
Understanding How MAC Authentication Bypass Works
The RADIUS server-specified timers can also trigger reauthentication. RADIUS server attributes 27 and
29 control the reauthentication behavior. Attribute 27 (session timeout) specifies the time after which
authentication should be tried again, and attribute 29 (termination action) specifies whether the behavior
should be one of the following:
•
Initialize—The existing session is disrupted until the reauthentication results are available.
•
Reauthenticate—The existing session is not disrupted while reauthentication is attempted.
Understanding MAC Authentication Bypass States
This section describes the following MAC authentication bypass states:
•
Waiting—In the waiting state, the switch waits to receive the MAC address that needs to be
authenticated, learning is disabled, and the idle timer starts. The port is in the forwarding state to
receive unicast traffic, and all Layer 2 entries on the port are cleared. The port transitions to the other
state if there are other features configured but only after receiving an authentication result (the result
could be success or failure). If traffic is not seen, the port remains in the waiting state.
•
Authenticating—When the switch learns the port’s MAC address from a redirected packet, the MAC
authentication bypass state machine transitions to authenticating. In this state, the RADIUS request is
built and sent to the RADIUS server and the switch waits for the RADIUS server response. If there
is a successful authentication, the port moves to the authenticated state where the RADIUS
server-specified VLAN is configured on the port, a static CAM entry is installed on the RADIUS
server-specified VLAN, and the trap entries on the old VLAN are removed. If authentication fails,
the port moves to the AuthFail State. If there is a RADIUS timeout or initialization, the port moves
to the waiting state again.
•
Authenticated—In the authenticated state, the RADIUS-received policy (VLAN) is configured on
the port. The port then transitions to the waiting state in case there is an initialization and moves to
the authenticating state if it receives a reauthenticate event. In the authenticated state, the trap entry
on the port is removed from the old VLAN and the static CAM entry is installed on the new VLAN.
•
AuthFail—In the AuthFail state, the port waits for “auth-fail-timeout” seconds before moving to the
waiting state if no other features are configured. If fallback features are configured (such as
web-based proxy authentication, 802.1X, or the authentication failure VLAN), the port moves to
those states. A trap still exists in the AuthFail state, so a MAC address cannot authenticate itself
again for auth-fail timeout seconds. When a port moves to the waiting state from the AuthFail state,
the trap entries are cleared and the port starts the authentication process again.
•
Finished—The finished state is entered after MAC authentication bypass fails to authenticate a host
and if there are other features configured on the port that can potentially grant access (such as
web-based proxy authentication, 802.1X, or the authentication failure VLAN). The finished state
involves authorizing/bringing up the port and installing any policy required by the other features.
For example, if the guest VLAN is configured, the port might be added to the guest VLAN. If
web-based proxy authentication is configured, policies might be installed to allow Dynamic Host
Configuration Protocol (DHCP), Domain Name System (DNS), and access control entries (ACEs)
for HTTP redirection and so on. If other features are not configured, the port roams in the waiting,
authenticating, AuthFail, and waiting states in case of an authentication failure or the port stays in
the waiting state until it sees traffic.