# [Record] An observation on the implementation of IEEE 802.1X operating modes and MAB ###### tags: `IEEE 802.1X`, `MAC-based`, `Port-based`, `MAB`, `MAC Authentication Bypass` [toc] ## Introduction In IEEE 802.1X, it supports two kinds of operating modes, and it can be configured by ports. > | Mode | Description | > | -------- | -------- | > | Single-host| only one supplicant can communicate through the port. Once authentication of the supplicant is accepted by the authentication server, the switch allows it access. If the supplicant logs off or the port state is changed, the port becomes unauthenticated. And if a different supplicant tries to access through this port, its bidirectional traffic is discarded (including authentication traffic). </br></br>※ An exception to this is multicast and broadcast traffic which do get transmitted over the interface once authenticated and are exposed to an unauthorized supplicant if it exists.| > | Multi-host | allows connection of multiple hosts over a single port. Only the first supplicant is authenticated. Subsequent hosts have network access without the need to authenticate. | :::info **Single-host mode** is also called **MAC-based mode** because each authentication can only authorize single host. **Multi-host mode** is also called **port-based mode** because each authentication can authorize multiple hosts. ::: ## MAC-based/Single-host mode and Multi Auth mode Single-host mode is defined that there is only one supplicant can be authenticated and authorized. Multi Auth mode is defined by CISCO, and it means each supplicant should be authenticated and authorized by its own MAC. ### Case 1 There are two distinct supplicants that are all enabling IEEE 802.1X authentication feature. - In multi auth mode, each supplicant should enter a set of username and password for authentication and authorization. - In single-host mode, only a supplicant can be authorized.  :::info *If both supplicant A and B are authorized, the authenticator can ping supplicant A and B well.* ::: ### Case 2 There are two different supplicants and one host. The Host C disabled IEEE 802.1X authentication feature and it can never be authorized.  :::info *1. If both supplicant A and B are authorized, the authenticator can ping supplicant A and B well. 2. The authenticator can never ping Host C because it is unauthorized.* ::: ## Port-based/Multi-host mode ### Case 1 There are one supplicant and two hosts, and only if supplicant A be authorized, the other host can be authorized without authentication.  :::info *1. If supplicant A is authorized, the authenticator can ping supplicant A and all the other hosts well.* ::: ### Case 2 This is a kind of implementation. There are two different supplicants A and B.  :::info *1. If supplicant A is authorized first, the authenticator can ping supplicant A well. 2. Next, if supplicant B tried to authenticate, supplicant A will become unauthorized immediately and nobody can be authorized.* ::: ## MAB MAB is the abbr. of MAC Authentication Bypass. For the scenario below, the supplicants here are not hosts but **peripheral devices**. Supplicant A is a **printer** and B is an **IP cam**.  To make gi 0/1 and gi 0/2 authorized, we need to register the usrname and password on a RADIUS server. Here the usrname and password are both its own MAC address. It is called data credential authentication that when the authenticator receives data packets of supplicants, it will launch EAPoR access-request to the server. The EAP access-request is EAP control packets which is made up by the MAC address of supplicant. ## Reference https://docs.mellanox.com/display/ONYXv381208/802.1x+Protocol https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/identity-based-networking-services/config_guide_c17-663759.html