350-401 · Question #1142
Which mechanism can be used to enforce network access authentication against an AAA server if the endpoint does not support the 802.1X supplicant functionality?
The correct answer is A. MAC Authentication Bypass. MAC Authentication Bypass (MAB) is a network access authentication mechanism used for endpoints that do not support 802.1X supplicant functionality, authenticating them against a AAA server using their MAC address.
Question
Options
- AMAC Authentication Bypass
- BMACsec
- Cprivate VLANs
- Dport security
How the community answered
(37 responses)- A92% (34)
- B3% (1)
- C5% (2)
Why each option
MAC Authentication Bypass (MAB) is a network access authentication mechanism used for endpoints that do not support 802.1X supplicant functionality, authenticating them against a AAA server using their MAC address.
MAC Authentication Bypass (MAB) is specifically designed for endpoints that lack 802.1X supplicant capabilities, such as IP phones, printers, or legacy devices. With MAB, the switch uses the endpoint's MAC address as the credential to authenticate against a RADIUS (AAA) server, granting network access upon successful verification.
MACsec (Media Access Control Security) provides Layer 2 encryption and data integrity, but it is not an authentication mechanism against a AAA server for devices that don't support 802.1X.
Private VLANs (PVLANs) segment a broadcast domain into smaller, isolated subdomains at Layer 2 for security and traffic control, but they are not an authentication mechanism for endpoints.
Port security prevents MAC address spoofing and limits the number of MAC addresses on a port, but it is a security feature to control access after authentication or for basic access control, not a method to authenticate non-802.1X devices against a AAA server.
Concept tested: MAC Authentication Bypass (MAB)
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_h_client_authen/configuration/xe-16/sec-h-client-authen-xe-16-book/sec-h-client-authen-mac.html
Topics
Community Discussion
No community discussion yet for this question.