3 If MAB times out or MAC authentication fails, the port is placed into the guest VLAN.If both MAB and re-authentication are enabled, when the re-auth period finishes and whether the previous authentication was throughMAB or 802.1X, 802.1X authentication is tried first. If 802.1X times out, MAB authentication is tried. The port remains authorizedthroughout the reauthentication process. Once a port is enabled/disabled through 802.1X authentication, changes to MAB do not takeeffect until the MAC is asked to re-authenticate or the port status is toggled.MAB in Single-host and Multi-Host ModeIn single-host and multi-host mode, the switch attempts to authenticate a supplicant using 802.1X. If 802.1X times out because thesupplicant does not respond to the Request Identity frame and MAB is enabled, the switch attempts to authenticate the first MAC it learnson the port. Afterwards, for single-host mode, traffic from all other MACs is dropped; for multi-host mode, all traffic from all other MACs isaccepted.After a port is authenticated by MAB, if the switch detects an 802.1X EAPoL start message from the authenticated MAC, the switch re-authenticates using 802.1X first, while keeping the port authorized.NOTE: If the switch is in multi-host mode, a MAC address that was MAB-authenticated but later was disabled from MABauthentication, is not denied access but moved to the guest VLAN. If the switch is in single-host mode, the MAC address isdisallowed access.MAB in Multi-Supplicant Authentication ModeMulti-supplicant authentication (multi-auth) mode is similar to other 802.1X modes in that the switch first attempts to authenticate asupplicant using 802.1X. 802.1X times out if the supplicant does not respond to the Request Identity frame. Then, if MAB authentication isenabled, the switch tries to authenticate every MAC it learns on the port, up to 128 MACs, which is the maximum number of supplicantsthat 802.1X can authenticate on a single port in multi-authentication mode.If a supplicant that has been authenticated using MAB starts to speak EAPoL, the switch re-authenticates that supplicant using 802.1Xfirst, while keeping the MAC authorized through the re-authentication process.Configuring MAC Authentication BypassTo configure MAB in multi-supplicant authentication mode:1 Configure the following attributes on a RADIUS Server:• Attribute 1—User-name: Use the supplicant MAC address in hex format without any colons. For example, enter 10:34:AA:33:44:F8as 1034AA3344F8.• Attribute 2—Password: Use the supplicant MAC address, but encrypted in MD5.• Attribute 4—NAS-IP-Address: IPv4 address of the switch that is used to communicate with the RADIUS server.• Attribute 5—NAS -Port: The port number of the interface being authorized entered as an integer.• Attribute 30—Called-Station-Id: MAC address of the ingress interfaces of the authenticator.• Attribute 31—Calling-Station-Id: MAC address of the 802.1X supplicant.• Attribute 87—NAS-Port-Id: The name of the interface being authorized entered as a string.NOTE: Only attributes 1 and 2 are used for MAB; Attributes 30 and 31 are not mandatory in the MAB method.2 Enter INTERFACE mode on an interface or a range of interfaces.INTERFACE modeinterface [range]3 Enable MAC authentication bypass.INTERFACE mode104 802.1X