Non-802.1x Authentications

Question 1

True/ False. In MAB the authenticator act on behalf of the endpoint that does not have a supplicant by crafting a RADIUS Access-Request message and sends it to the authentication server. The authenticator uses the endpoint’s MAC address as the identity

Answer 1

True

Question 2

How does a switch(authenticator) know when the endpoint that is plugged into it does not have a supplicant?

Answer 2

The authenticator is meant to send EAP over LAN identity request frames every 30 seconds by default. After 3 timeouts- a period of 90 seconds by default- it accepted that the endpoint must not have a supplicant.

Question 3

Web Authentication

Answer 3

An authenticator would be able to send a user to a locally hosted web page- in other words, a web page hosted on the local device itself example Switch, WLC, etc. The username and password that are submitted to the web portal are then sent from the authenticator to the authentication server in a standard RADIUS Access-Request packet.

Question 4

Local Web Authentication

Answer 4

the credentials are submitted through the web portal, and the authenticator (switch, wireless controller and so on) sends the RADIUS Access-Request to the authentication server using the username and password from the form. It is key to remember that any time the switch is sending the credentials for the user, it is considered LWA

Question 5

LWA limitations

Answer 5

LWA does not support VLAN assignment, so you are basically limited to ACL assignment. LWA is also restricted from change of authorization (COA) support;

Question 6

Centralized Web Authentication

Answer 6

the portal is hosted on ISE

Question 7

True/ False CoA works fully with CWA

Answer 7

True. CWA also supports all the advanced services, such as client provisioning, posture assessments, acceptable use policies (AUPs) password changing, self registration, and device registration