On routed interfaces customers can check MAC addresses against a RADIUS server to bypass 802.1x for LAN devices that do not support 802.1x authentication. MAB simplifies IT operations, saves time, and enhances scalability by no longer requiring customers to manually configure every MAC address that may need authentication.

Prerequisites

  • A RADIUS server must be configured and added to the Edge. See Configure Authentication Services.
  • The RADIUS server must have a list of MAC addresses to be bypassed to take advantage of the MAB feature.
  • RADIUS authentication must be configured on an Edge's routed interface or switched interface via a VLAN either at the Profile or Edge level.
Note: Beginning with Release 5.2.0, RADIUS-based MAB is also supported for VLANs for use on switched ports. The feature has the following limitation when used with a VLAN for a switched port:
  • L2 traffic will not trigger RADIUS MAB.
  • L2 traffic will not be forwarded on Linux-based switches until routed traffic is seen. Hardware switches already do not filter pure L2 traffic, and this limitation remains unchanged.
  • If no routed traffic is observed and RADIUS MAB times out (default is 30 minutes), L2 traffic will again be blocked.
  • Additional hooks to check 802.1x status for self-destined packets may cause performance degradation when 802.1x is enabled.
  • Traffic destined to self and managed entirely by Linux will no longer be filtered prior to 802.1x authentication (DHCP, DNS, ssh, and so forth).

Activating MAB for Routed Interface

  1. In the SD-WAN service of the Enterprise portal, click Configure > Edges.
  2. Click the link to an Edge or click the View link in the Device column of the Edge. The configuration options for the selected Edge are displayed in the Device tab.
  3. In the Connectivity category, click and expand Interfaces.
  4. The Interfaces section displays the different types of Interfaces available for the selected Edge.
  5. Click the Interface to edit the Routed interface that is configured for RADIUS authentication.
  6. On the Interfaces Edit screen confirm that RADIUS Authentication is configured and then select the check box for Enable RADIUS based MAB (MAC Address Authentication Bypass).
  7. Click Save and return to the Device page.
  8. Click Save Changes in the bottom right corner to apply your configuration.

Activating MAB for Switched Port using a VLAN

  1. In the SD-WAN service of the Enterprise portal, click Configure > Edges.
  2. Click the link to an Edge or click the View link in the Device column of the Edge. The configuration options for the selected Edge are displayed in the Device tab.
  3. In the Connectivity category, click and expand VLAN.
  4. The VLAN section displays the VLAN's configured for the selected Edge.
  5. Click the VLAN to edit the VLAN and configure is for RADIUS authentication.
  6. On the Interfaces Edit screen confirm that RADIUS Authentication is configured and then select the check box for Enable RADIUS based MAB (MAC Address Authentication Bypsss).
  7. Click DONE and return to the Device page.
  8. Back on the Connectivity category, click and expand Interfaces.
  9. The Interfaces section displays the different types of Interfaces available for the selected Edge.
  10. Click the Interface to edit the Switched interface so that you can assign the VLAN configured for RADIUS.
  11. Once you have added the VLAN, click SAVE and return to the Device page.
  12. Click Save Changes in the bottom right corner to apply your configuration.