You have issued the following commands to modify the 802.1X configuration on a switch port:
switch(configif)#authentication order mab dot1x switch(configif)#authentication priority dot1x mab switch(configif)#authentication event fail action nextmethod switch(configif)#authentication event noresponse action authorize vlan 1313
A new host is attached to the switch port. The host’s MAC address is in the authentication database, but the host’s certificate for 802.1X authentication is expired.
Which of the following statements is true regarding the host in this scenario? (Select the best answer.)
- MAB will authorize the host for network access, and the switch port will ignore the host’s 802.1X authentication attempts.
- MAB will authorize the host for network access? however, the host will lose network access when it attempts to authenticate with 802.1X.
- The host will fail 802.1X authentication and will be assigned to VLAN 1313.
- The host will fail 802.1X authentication, and the switch will place the port into an unauthorized state.
In this scenario, Media Access Control (MAC) Authentication Bypass (MAB) will authorize the host for network access? however, the host will lose network access when it attempts to authenticate with 802.1X. A switch port can be configured to use 802.1X, MAB, or Web Authentication (WebAuth) to authenticate clients. The authentication order command is used to specify the order in which the switch should attempt the configured authentication methods. By default, a switch will attempt 802.1X authentication before other authentication methods. The authentication order mab dot1x command configures the switch to first use MAB to authenticate a client based on its MAC address. If the client’s MAC address is not in the authentication database, the switch will then attempt to authenticate the client with 802.1X. In this scenario, the client’s MAC address is in the authentication database and MAB will authorize the client for network access.
Normally, the configured authentication order is mirrored by the priority of each authentication method? however, you can use the authentication priority command to change the priority. If the priority mirrored the authentication order in this scenario, the switch would ignore Extensible Authentication Protocol over LAN (EAPoL) messages after the client was authenticated by MAB and the client would continue to have authorized network access. However, the authentication priority dot1x mab command changes the default priority behavior and assigns a higher priority to 802.1X authentication than it does to MAB. This enables a client to use 802.1X authentication even if it has successfully been authenticated by MAB. Unfortunately, the client will lose network access when it attempts 802.1X authentication because its certificate is expired.The authentication event fail action command specifies how the switch should react if an 802.1X client is detected and the client fails to authenticate. There are two configurable parameters: nextmethod and authorize vlanid. The authorize vlanid parameter configures the port to a specific restricted virtual LAN (VLAN). The nextmethod parameter configures the switch to attempt authentication by using the next authentication method specified in the authentication order command. If the nextmethod parameter is configured, the switch will indefinitely cycle through authentication methods unless WebAuth is configured. If WebAuth is configured, the authentication process will not loop back to other authentication methods and the switch will ignore EAPoL messages on the port.
The authentication event noresponse action authorize vlan 1313 command specifies the VLAN into which a switch should place a port if it does not receive a response to the EAPoL messages it sends on that port. This enables devices that do no support 802.1X to be assigned to a guest VLAN. When a guest VLAN is configured, the switch will grant non802.1Xcapable clients access to the guest VLAN? however, if an 802.1Xcapable device is detected, the switch will place the port into an unauthorized state and will deny access to all devices on the port.