Chapter 10: Mac Based Authentication; How Mac-Based Authentication Works - Extreme Networks Summit WM Technical Reference Manual

10 MAC Based Authentication
The MAC-based authentication feature is designed to further control access to the network resources for
the wireless clients over the Summit WM system. It is based on the authentication of the client's MAC
address using the same process as for the user's RADIUS authentication.
Only authenticated clients – MAC addresses can establish sessions and use network resources as
defined by the rules for the virtual network segment. Depending on the assignment of the virtual
segment (NONE, SSID and AAA), the user's authentication may be required. The MAC based
authentication, in that sense, is more a form of authentication – giving permission to the wireless clients
to enter the system. If the RADIUS server rejects the authentication, the Summit WM Controller will
send the message to the Wireless AP and the Wireless AP will disconnect the client.
The feature is configurable per WM-AD via GUI as a part of the radius profile definition. It includes the
radius redundancy with up to three radius servers.
It is also designed to work in cases of clients roaming and mobility. A wireless client can be forced to
start the MAC-based authentication when roaming from one Wireless AP to another in the roaming and
mobility cases.

How MAC-based authentication works

1 When a client attempts to associate with a WM-AD which has MAC-based authentication enabled,
the Wireless AP triggers the association request, which will be forwarded through the control plane
to the Security Manager, then to the Radius Client. The Radius Client will send the access request to
the RADIUS server, containing the MAC address of the wireless client for the userId and password.
By default, the Summit WM Controller uses the MAC address of the device as both the userID and
password for the authentication. However, if a value is typed into the Password field by an
administrator, the typed password will be used in place of the MAC address during the
authentication request to the server. For example, userID = MAC, password = administrator
provided password. This feature operates as an overwrite, which allows the administrator to more
easily define radius policies for MAC-based authentication.
2 When Authentication Request is received, the Authentication Server validates the request (if it is
coming from the known client – Summit WM Controller) and then decrypts the data packet to access
the user name and password information, in this case the MAC address. This information is passed
to the appropriate security system, which verifies the existence of the user and the correctness of the
password, as well as the authentication type (PAP, CHAP, MS CHAP). Depending on the server, it
can be a UNIX file, Active directory, etc.
3 If an account for the MAC address is defined on the RADIUS server, and it passes the security check,
the RADIUS server will send the access accept to the Summit WM Controller, and the FE will create
an MU session.
4 If the MAC address failed the security check, the RADIUS server will send the access reject to the
Summit WM Controller. Upon receiving the access reject, the Summit WM Controller will send a
message to the Wireless AP and the Wireless AP will disconnect the client.
Summit WM Technical Reference Guide, Software Version 5.1
115