You have issued the following commands to modify the 802.1X configuration on a switch port:
switch(configif)#authentication order mab dot1x
switch(configif)#authentication priority dot1x mab
switch(configif)#authentication event fail action nextmethod
switch(configif)#authentication event noresponse action authorize
vlan 1313
A new host is attached to the switch port. The host’s MAC address is in the authentication database, but the
host’s certificate for 802.1X authentication is expired.Which of the following statements is true regarding the host in this scenario? (Select the best answer.)
A.
MAB will authorize the host for network access, and the switch port will ignore the host’s 802.1X
authentication attempts.
B.
MAB will authorize the host for network access? however, the host will lose network access when it
attempts to authenticate with 802.1X.
C.
The host will fail 802.1X authentication and will be assigned to VLAN 1313.
D.
The host will fail 802.1X authentication, and the switch will place the port into an unauthorized state.
Explanation:
In this scenario, Media Access Control (MAC) Authentication Bypass (MAB) will authorize the host for network
access? however, the host will lose network access when it attempts to authenticate with 802.1X. A switch port
can be configured to use 802.1X, MAB, or Web Authentication (WebAuth) to authenticate clients. The
authentication order command is used to specify the order in which the switch should attempt the configured
authentication methods. By default, a switch will attempt 802.1X authentication before other authentication
methods. The authentication order mab dot1x command configures the switch to first use MAB to authenticate
a client based on its MAC address. If the client’s MAC address is not in the authentication database, the switch
will then attempt to authenticate the client with 802.1X. In this scenario, the client’s MAC address is in the
authentication database and MAB will authorize the client for network access.
Normally, the configured authentication order is mirrored by the priority of each authentication method?
however, you can use the authentication priority command to change the priority. If the priority mirrored the
authentication order in this scenario, the switch would ignore Extensible Authentication Protocol over LAN
(EAPoL) messages after the client was authenticated by MAB and the client would continue to have authorized
network access. However, the authentication priority dot1x mab command changes the default priority behavior
and assigns a higher priority to 802.1X authentication than it does to MAB. This enables a client to use 802.1X
authentication even if it has successfully been authenticated by MAB. Unfortunately, the client will lose network
access when it attempts 802.1X authentication because its certificate is expired.The authentication event fail
action command specifies how the switch should react if an 802.1X client is detected and the client fails to
authenticate. There are two configurable parameters: nextmethod and authorize vlanid. The authorize vlanid
parameter configures the port to a specific restricted virtual LAN (VLAN). The nextmethod parameter
configures the switch to attempt authentication by using the next authentication method specified in the
authentication order command. If the nextmethod parameter is configured, the switch will indefinitely cycle
through authentication methods unless WebAuth is configured. If WebAuth is configured, the authentication
process will not loop back to other authentication methods and the switch will ignore EAPoL messages on the
port.
The authentication event noresponse action authorize vlan 1313 command specifies the VLAN into which a
switch should place a port if it does not receive a response to the EAPoL messages it sends on that port. This
enables devices that do no support 802.1X to be assigned to a guest VLAN. When a guest VLAN is configured,
the switch will grant non802.1Xcapable clients access to the guest VLAN? however, if an 802.1Xcapable device
is detected, the switch will place the port into an unauthorized state and will deny access to all devices on the
port.Cisco: Flexible Authentication Order, Priority, and Failed Authentication: Case 2: Order MAB Dot1x and Priority
Dot1x MAB