＜原文翻譯＞基於mac地址的IEEE 802.1x免認證

         如下內容，是《Catalyst 3560 Switch Software Configuration Guide》——思科3560交換機配置指南的一個小小小小段落。
         原書1179頁，能夠把人看到吐血而死。 
         之因此翻譯這個，是由於目前國內介紹到思科交換機的這個功能的中文文獻（指公開文獻）爲0.000???。能夠說，基本無人翻譯介紹過。
         而思科的IEEE 802.1x協議的實現，又與目前國內華爲、銳捷、神州數碼等廠商實現的細節有很大不一樣。本身以前作某些配置的時候，徹底被誤導。以致於。。。。。。。

你們看看吧，內行看門道，外行人也看看人行道。呵呵



Using IEEE 802.1x Authentication with MAC Authentication Bypass
基於mac地址的IEEE 802.1x免認證

You can configure the switch to authorize clients based on the client MAC address (see Figure 9-2 onpage 9-4) by using the MAC authentication bypass feature. For example, you can enable this feature on IEEE 802.1x ports connected to devices such as printers.
你能夠配置交換機使用基於客戶端mac地址的免認證特性（參考圖9-2）。當啓用IEEE 802.1x認證的端口鏈接的設備是打印機（或者其餘沒法進行交互認證的設備）時，應當使用此特性。

If IEEE 802.1x authentication times out while waiting for an EAPOL response from the client, the switch tries to authorize the client by using MAC authentication bypass.
若是交換機等待客戶端返回一個IEEE 802.1x認證的EAPOL響應超時，交換機就會嘗試使用基於mac地址的免認證特性來識別客戶端。

When the MAC authentication bypass feature is enabled on an IEEE 802.1x port, the switch uses the MAC address as the client identity.
當某個IEEE 802.1x認證端口啓用mac地址的免認證特性時，交換機就會使用mac地址做爲客戶端的身份標記。

The authentication server has a database of client MAC addresses that are allowed network access. After detecting a client on an IEEE 802.1x port, the switch waits for an Ethernet packet from the client. The switch sends the authentication server a RADIUS-access/request frame with a username and password based on the MAC address. If authorization succeeds, the switch grants the client access to the network. If authorization fails, the switch assigns the port to the guest VLAN if one is configured.
交換機檢測到某個客戶端鏈接到IEEE 802.1x認證端口後，（參考前面，須要超時）當客戶端發送以太網數據包時，交換機就把客戶端的mac地址做爲用戶名和密碼發送給認證服務器一個RADIUS-access/request幀。認證服務器有一個容許使用網絡的客戶端MAC地址數據庫。若是認證經過，交換機就會讓客戶端使用網絡；若是認證失敗，則交換機把端口分配到一個預先指定的guest vlan。

If an EAPOL packet is detected on the interface during the lifetime of the link, the switch determines that the device connected to that interface is an IEEE 802.1x-capable supplicant and uses IEEE 802.1x authentication (not MAC authentication bypass) to authorize the interface. EAPOL history is cleared if the interface link status goes down.
若是在端口鏈接過程當中，（mac認證以前）出現EAPOL認證數據包，則交換機會認爲該端口所鏈接的客戶端是一個可以實現IEEE 802.1x認證交互的客戶端，於是採用IEEE 802.1x認證來受權端口（而不是採用基於mac地址的免認證）。若是端口鏈接中斷，則清空以前識別到的EAPOL認證數據包，（端口恢復採用基於mac地址的免認證，並處於等待認證狀態）。

If the switch already authorized a port by using MAC authentication bypass and detects an IEEE 802.1x supplicant, the switch does not unauthorize the client connected to the port. When re-authentication occurs, the switch uses IEEE 802.1x authentication as the preferred re-authentication process if the previous session ended because the Termination-Action RADIUS attribute value is DEFAULT.
使用基於mac地址的免認證特性的某個端口，若是已經經過了服務器的認證受權以後，又出現了一個具備IEEE 802.1x認證能力的客戶端，則交換機會拒絕該客戶端鏈接網絡。當後一個鏈接會話中斷後，由於RADIUS的一個默認屬性是Termination-Action，所以從新認證開始，這時交換機會採用IEEE 802.1x認證做爲首選的認證方式。

Clients that were authorized with MAC authentication bypass can be re-authenticated. The re-authentication process is the same as that for clients that were authenticated with IEEE 802.1x.  During re-authentication, the port remains in the previously assigned VLAN. If re-authentication is successful, the switch keeps the port in the same VLAN. If re-authentication fails, the switch assigns the port to the guest VLAN, if one is configured.
採用基於mac地址免認證特性的時候，也能夠實現客戶端的重認證。這個與採用普通的IEEE 802.1x認證時的情形同樣。在重認證過程當中，交換機端口仍然會保留在以前認證後指定/設定的vlan。認證成功，vlan不變；若是認證失敗，則交換機會把端口劃分到已經配置的guest VLAN裏。

If re-authentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute (Attribute [29]) action is Initialize, (the attribute value is DEFAULT), the MAC authentication bypass session ends, and connectivity is lost during re-authentication. If MAC authentication bypass is enabled and the IEEE 802.1x authentication times out, the switch uses the MAC authentication bypass feature to initiate re-authorization. For more information about these AV pairs, see RFC 3580, 「IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines.」
若是配置重認證的發起是基於RADIUS的Session-Timeout（鏈接超時），以及RADIUS的默認屬性是Termination-Action，那麼當RADIUS Termination-Action啓動時，基於mac地址免認證客戶端，在整個重認證的時間段都會鏈接中斷。
重認證發起後，一樣須要一個IEEE 802.1x認證超時等待，而後交換機纔會使用基於mac地址的免認證特性來識別客戶端（發起認證），以最終實現一個重認證流程。


MAC authentication bypass interacts with the features:
基於mac地址的免認證特性受如下條件限制：
●你只可以在一個已經啓用了IEEE 802.1x認證的端口使用基於mac地址的免認證特性。
●若是配置了Guest VLAN，當客戶端屬於一個非法的mac時，交換機會把客戶端分配到Guest VLAN。
●基於mac地址的免認證特性的端口，不支持Restricted VLAN配置。
●關於端口安全的相關內容，請參考「Using IEEE 802.1x Authentication with Port Security」一節。
●關於Voice VLAN的相關內容，請參考「Using IEEE 802.1x Authentication with Voice VLAN Ports」 一節。
●配置了基於mac地址的免認證特性後，你能夠分配客戶端到某個私有vlan。
●IEEE802.1x和 VMPS 是互斥的，配置了IEEE802.1x就不能配置VMPS，反之亦然。
●配置了基於mac地址的免認證特性後，仍是會受到NAC的Layer 2 IP validation影響/限制，包括NAC的「例外名單（exception list）」限制。

? IEEE 802.1x authentication—You can enable MAC authentication bypass only if IEEE 802.1x authentication is enabled on the port.
? Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a guest VLAN if one is configured.
? Restricted VLAN—This feature is not supported when the client connected to an IEEE 802.lx port is authenticated with MAC authentication bypass.
? Port security—See the 「Using IEEE 802.1x Authentication with Port Security」 section on page 9-15.
? Voice VLAN—See the 「Using IEEE 802.1x Authentication with Voice VLAN Ports」 section on page 9-15.
? VLAN Membership Policy Server (VMPS)—IEEE802.1x and VMPS are mutually exclusive.
? Private VLAN—You can assign a client to a private VLAN.
? Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an IEEE 802.1x port is authenticated with MAC authentication bypass, including hosts in the exception list.


＝＝＝＝＝＝＝＝＝＝＝＝暫不提供轉載＝＝＝＝＝＝＝＝＝＝