Mac Authentication Bypass Mab on Hp Procurve 2600

For my thesis I did a little research on Network Access Control and the possibilities. This research was focused on the environment of the company I work for, this means I included both Cisco and HP switches in my research. After this research I build a test environment to test the authentication mechanisms 802.1x, MAB and web authentication. With Cisco everything was working flawless, but I also wanted a sort of MAB authentication on the HP switches, unfortunately HP doesn’t speak MAB. So after some puzzling I found a work around which is close enough to MAB. Normally you can only use 802.1x or MAC Authentication on a HP Procurve switch (2600). To work around this problem HP included a feature, so called Client Based Network Authentication. This feature is initially created to make it possible to authenticate devices which are connected to a HUB on the switchport. It is possible that devices connected to the HUB require different authentication mechanisms, so this gives the opportunity to allow MAC and 802.1x authentication on the same port. When we switch to Client Based Network Authentication and we set the allowed clients to 1, it is possible to let the client choose which authentication is going to be used.

The figure above shows how it schematically works, the HUB is just virtual and used as example. To let this work you only need to configure the client limit.

aaa port-access authenticator 1-48 aaa port-access authenticator 1 client-limit 1 aaa port-access authenticator 2 client-limit 1 aaa port-access authenticator 3 client-limit 1 … aaa port-access authenticator active aaa port-access mac-based 1-48 aaa port-access 1-48 vlan 31 name “MACAuth_Vlan” tagged 49,50 exit

Rob Maas
Rob Maas
Technical Challanger at ON2IT

If it is broken, fix it! If it ain’t broken, make it better!