Everything You Need to Know About MAC Authentication Bypass (MAB)

Businesses are implementing security measures to stop the access of unauthorized devices for their network security. MAB is one such non-traditional measure of allowing access to connect a network. It mainly fills the gap left by 802.1X, which only allows access to devices that supports it. However, there are multiple queries regarding MAB that need to be answered, like what is its purpose? Is it safe or not? Can it be hacked?

This write-up will answer such questions about MAC Authentication Bypass. Without further ado, let’s delve into them;

What is a MAC Authentication Bypass (MAB)?

MAC Authentication Bypass, also known as Media Access Control Authentication Bypass, is used for devices that don't support 802.1X authentication. It’s port-based. This means the access control can be easily enabled or disabled depending on the device's MAC address. Devices such as printers or legacy phones, which cannot provide usernames and passwords for authentication, rely on MAB to connect to the network.

Let’s take a quick look at MAC Authentication Bypass working. For the sake of example, consider a non-802.1X supported printer is trying to access the network having MAB;

  • The printer connects to the switch port, and the switch will receive an initial network access request from it.
  • Now, the switch will use an authentication server like RADIUS to check the MAC address of the requested device. The authentication server contains the lists of MAC addresses of all the authorized devices.
  • If the MAC address of the printer matches those in the authentication server, the switch will immediately allow the printer to access the network. Otherwise, the request is blocked right away.

MAB has mainly two modes of operation;

  1. Single-Host Mode: In this, the switch allows access to a single device at a time after checking its MAC address against the list of authorized MAC addresses in the authentication server.
  2. Multiple-Host Mode: Here switch can allow access to all the connected devices after the MAC address of one of them matches those in the authentication server. It means it can access multiple devices at a time, making it more convenient but relatively less secure than single-host mode.

What is the Purpose of MAC Authentication Bypass (MAB)?

The primary purpose of MAC Authentication Bypass is to grant access to non-802.1X devices to the networks. In an 802.1x network, devices are identified and authorized to access a network based on their credentials or certificates, like usernames and passwords. However, some devices, like printers, IP phones, etc., don't support the 802.1X verification procedure.

MAB plays a vital role by allowing these devices to reach the network using their MAC addresses instead of requiring 802.1x support. It simply associates a MAC address of the device with predefined credentials that are then extracted by the network switch for proper authentication. However, one thing to remember is MAB is less secure than the 802.1x network protocol.

What is the Difference Between MAC Authentication Bypass (MAB) and 802.1x?

MAB and 802.1X are used to authenticate devices and control access to a particular network. Let's look at their differences for a better understanding;

  • Authentication Method: MAB uses MAC addresses to authenticate a device. On the other hand, 802.1X relies on EAP (extensible authentication protocol) authentication framework that requires a username, password, or digital certificate before allowing access.
  • Security: MAC addresses are very easy to spoof compared to the 802.1X network protocol that uses EAP encryption and authentication. 802.1X is very difficult to penetrate as both the endpoint and AAA server needs to authenticate themselves before getting access.
  • Authentication Process: Switch receives an authentication request from the device in case of MAB. In 802.1X, access is blocked until authenticated.
  • Devices: MAB goes well with non-802.1X devices like most printers, legacy phones, etc. In contrast, EAP-supporting devices like smartphones, tablets, laptops, etc., are compatible with 802.1X. MAB lacks advanced device management capabilities compared to 802.1X.
  • Cost and Flexibility: MAB’s cost of implementation is relatively low but provides limited flexibility in comparison to 802.1X.
  • Environment Type: MAB is good for less sensitive environments, while 802.1x is designed for complex and highly sensitive environments like enterprise networks. MAB’s management and implementation are relatively easier than the 802.1X.
  • IEEE Compliance: MAB isn’t an IEEE standard. In contrast, 802.1X complies with the IEEE standard.

Is MAC Authentication Bypass (MAB) Secure?

When compared to other authentication methods, MAB isn't the most secure one. As it relies on MAC authentication, which is easy to manipulate, hackers can easily spoof and exploit the MAC address of any authorized device to gain access to the network.

Moreover, unlike 802.1X, MAB lacks granular control. Granular control mainly allows limited access to the network resources as defined by the administrator. Due to the unavailability of such control in MAB, it becomes easier for attackers to gain limitless access to everything. With MAC Authentication Bypass, everyone enjoys the same level of access— even to sensitive data— which marginally compromises the network's security from both inside and outside attackers.

From a security perspective, it's never recommended to use MAC Authentication Bypass as a standalone security setup.

Can MAC Authentication Bypass (MAB) be Hacked?

Yes, MAB can easily be hacked compared to other authentication methods like 802.1X. MAC authentication bypass is easy to manipulate and lacks granular control making it further vulnerable. Granular control adds a layer of security that if some hacker manages to access the network, he might not reach the sensitive information. With granular control, administration can limit access to users and devices.

As MAB doesn’t have such control, so using it all alone can open up avenues of hacking. To overcome this, it’s mandatory to couple it with other security measures like network monitoring, network segmentation, device authentication, encryption, access control, etc.

Without these measures, MAB isn’t a reliable authentication setup for networks especially containing sensitive information.

Conclusion

MAB may seem like a suitable temporary solution, but it comes with several data risks. So, if you are looking for a more secure and flexible authentication mechanism that supports all devices, Portnox's cloud-native zero-trust access control platform is just meant for you.

You can enjoy a seamless work experience without worrying about setup and deployment issues and system maintenance and upgrades. On top of that, there are no hidden costs to disturb your budget along the way.

From network authentication to access control and endpoint remediation to risk monitoring, Protox offers a unified frictionless solution to all your networking needs.
Claim the free trial and test it yourself before spending a dime!

Related Reading

Covering the IoT Security Basics
Read More
passwordless auth portnox
Why is Passwordless Auth More Secure?
Read More
cloud radius server portnox
The Benefits of a Cloud RADIUS Server
Read More