You have issued the following commands to modify the 802.1X configuration on a switch port:
switch(configif)#authentication event fail action next-method
switch(configif)#authentication order mab dot1x
switch(configif)#authentication priority dot1x mab
switch(configif)#authentication event noresponse action authorize
vlan 1313
A new host is attached to the switch port. The host’s MAC address is not in the authentication database. In
addition, the host does not support 802.1X.
Which of the following statements is true regarding the host in this scenario? (Select the best answer.)
A.
MAB will learn the new host’s MAC address and authorize the host for network access, and the switch port
will ignore the host’s 802.1X authentication attempts.
B.
MAB will authorize the host for network access? however, the host will lose network access when it
attempts to authenticate with 802.1X.
C.
The host will be assigned to VLAN 1313.
D.
The host will fail MAB authentication, and the switch will place the port into an unauthorized state.
Explanation:
In this scenario, the host will be assigned to virtual LAN (VLAN) 1313 because the authentication event
noresponse action authorize vlan 1313 command has been issued and the host does not support 802.1X
authentication. A switch port can be configured to use 802.1X, Media Access Control (MAC) Authentication
Bypass (MAB), or Web Authentication (WebAuth) to authenticate clients. The authentication event noresponse
action authorize vlan 1313 command specifies the VLAN into which a switch should place a port if it does not
receive a response to the Extensible Authentication Protocol over LAN (EAPoL) messages it sends on that port.
This enables devices that do not support 802.1X to be assigned to a guest VLAN. When a guest VLAN is
configured, the switch will grant non802.1Xcapable clients access to the guest VLAN? however, if an
802.1Xcapable device is detected, the switch will place the port into an unauthorized state and will deny access
to all devices on the port.
The authentication order command is used to specify the order in which the switch should attempt theconfigured authentication methods. By default, a switch will attempt 802.1X authentication before other
authentication methods. The authentication order mab dot1x command configures the switch to first use MAB
to authenticate a client based on MAC address. If the client’s MAC address is not in the authentication
database, the switch will then attempt to authenticate the client with 802.1X. In this scenario, the client’s MAC
address is not in the authentication database? therefore, MAB will not authorize the client for network access.
Normally, the configured authentication order is mirrored by the priority of each authentication method?
however, you can use the authentication priority command to change the priority. If the priority mirrored the
authentication order in this scenario, the switch would ignore EAPoL messages if the client was authenticated
by MAB and the client would continue to have authorized network access. However, the authentication priority
dot1x mab command changes the default priority behavior and assigns a higher priority to 802.1X
authentication than it does to MAB. This enables a client to use 802.1X authentication even if it has successfully
been authenticated by MAB. Unfortunately, the client is not an 802.1X client.
The authentication event fail action command specifies how the switch should react if an 802.1X client is
detected and the client fails to authenticate. There are two configurable parameters: nextmethod and authorize
vlanid. The authorize vlanid parameter configures the port to a specific restricted VLAN. The nextmethod
parameter configures the switch to attempt authentication by using the next authentication method specified in
the authentication order command. If the nextmethod parameter is configured, the switch will indefinitely cycle
through authentication methods unless WebAuth is configured. If WebAuth is configured, the authentication
process will not loop back to other authentication methods and the switch will ignore EAPoL messages on the
port.Cisco: Configuring IEEE 802.1x PortBased Authentication: Configuring a Guest VLAN