350-401 · Question #607
Which two statements about MAC Authentication Bypass are true? (Choose two.)
The correct answer is A. Traffic from an endpoint is authorized to pass after MAB authenticates the MAC address of the E. The MAC address of a device serves as its user name and password to authenticate with a. MAC Authentication Bypass (MAB) authenticates devices using their MAC address, allowing their traffic to pass, where the MAC address itself serves as both the username and password.
Question
Options
- ATraffic from an endpoint is authorized to pass after MAB authenticates the MAC address of the
- BDuring the learning stage, the switch examines multiple packets from the endpoint to determine
- CAfter the switch learns the MAC address of the endpoint, it uses TACACS+ to authenticate it.
- DAfter learning a source MAC address, it sends the host a RADIUS Account-Request message to
- EThe MAC address of a device serves as its user name and password to authenticate with a
How the community answered
(66 responses)- A88% (58)
- B6% (4)
- C5% (3)
- D2% (1)
Why each option
MAC Authentication Bypass (MAB) authenticates devices using their MAC address, allowing their traffic to pass, where the MAC address itself serves as both the username and password.
After a device's MAC address is successfully authenticated via MAB, the network policy is applied, authorizing the traffic originating from that endpoint to traverse the network.
MAB typically triggers authentication upon the first packet from an unknown MAC address, rather than requiring examination of multiple packets in a dedicated 'learning stage' for the MAB process itself.
MAB uses RADIUS for authentication with external servers like Cisco ISE, not TACACS+, which is primarily used for device administration authentication.
After learning a source MAC address, the switch sends a RADIUS Access-Request message (not an Account-Request) to the authentication server to authenticate the device, while Account-Request messages are for accounting.
In a MAB authentication process, the device's MAC address is sent to the RADIUS server and is utilized as both the username and the password for authentication purposes.
Concept tested: MAC Authentication Bypass (MAB) functionality
Source: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750x_cg/sw8021x.html
Topics
Community Discussion
No community discussion yet for this question.