You have issued the following commands to modify the 802.1X configuration on a switch port:
switch(configif)#authentication event fail action next-method switch(configif)#authentication order mab dot1x switch(configif)#authentication priority dot1x mab switch(configif)#authentication event noresponse action authorize vlan 1313
A new host is attached to the switch port. The host’s MAC address is not in the authentication database. In addition, the host does not support 802.1X.
Which of the following statements is true regarding the host in this scenario? (Select the best answer.)
- MAB will learn the new host’s MAC address and authorize the host for network access, and the switch port will ignore the host’s 802.1X authentication attempts.
- MAB will authorize the host for network access? however, the host will lose network access when it attempts to authenticate with 802.1X.
- The host will be assigned to VLAN 1313.
- The host will fail MAB authentication, and the switch will place the port into an unauthorized state.
In this scenario, the host will be assigned to virtual LAN (VLAN) 1313 because the authentication event noresponse action authorize vlan 1313 command has been issued and the host does not support 802.1X authentication. A switch port can be configured to use 802.1X, Media Access Control (MAC) Authentication Bypass (MAB), or Web Authentication (WebAuth) to authenticate clients. The authentication event noresponse action authorize vlan 1313 command specifies the VLAN into which a switch should place a port if it does not receive a response to the Extensible Authentication Protocol over LAN (EAPoL) messages it sends on that port. This enables devices that do not support 802.1X to be assigned to a guest VLAN. When a guest VLAN is configured, the switch will grant non802.1Xcapable clients access to the guest VLAN? however, if an 802.1Xcapable device is detected, the switch will place the port into an unauthorized state and will deny access to all devices on the port.
The authentication order command is used to specify the order in which the switch should attempt the configured authentication methods. By default, a switch will attempt 802.1X authentication before other authentication methods. The authentication order mab dot1x command configures the switch to first use MAB to authenticate a client based on MAC address. If the client’s MAC address is not in the authentication database, the switch will then attempt to authenticate the client with 802.1X. In this scenario, the client’s MAC address is not in the authentication database? therefore, MAB will not authorize the client for network access. Normally, the configured authentication order is mirrored by the priority of each authentication method? however, you can use the authentication priority command to change the priority. If the priority mirrored the authentication order in this scenario, the switch would ignore EAPoL messages if the client was authenticated by MAB and the client would continue to have authorized network access. However, the authentication priority dot1x mab command changes the default priority behavior and assigns a higher priority to 802.1X authentication than it does to MAB. This enables a client to use 802.1X authentication even if it has successfully been authenticated by MAB. Unfortunately, the client is not an 802.1X client.
The authentication event fail action command specifies how the switch should react if an 802.1X client is detected and the client fails to authenticate. There are two configurable parameters: nextmethod and authorize vlanid. The authorize vlanid parameter configures the port to a specific restricted VLAN. The nextmethod parameter configures the switch to attempt authentication by using the next authentication method specified in the authentication order command. If the nextmethod parameter is configured, the switch will indefinitely cycle through authentication methods unless WebAuth is configured. If WebAuth is configured, the authentication process will not loop back to other authentication methods and the switch will ignore EAPoL messages on the port.