Configuring MAC authentication
Overview
MAC authentication controls network access by authenticating source MAC addresses on a port. It does
not require client software, and users do not have to enter a username and password for network access.
The device initiates a MAC authentication process when it detects an unknown source MAC address on
a MAC authentication enabled port. If the MAC address passes authentication, the user can access
authorized network resources. If the authentication fails, the device marks the MAC address as a silent
MAC address, drops the packet, and starts a quiet timer. The device drops all subsequent packets from
the MAC address within the quiet time. The quiet mechanism avoids repeated authentication during a
short time.
NOTE:
If the MAC address that has failed authentication is a static MAC address or a MAC address that has
passed any security authentication, the device does not mark it as a silent address.
User account policies
MAC authentication supports the following user account policies:
One MAC-based user account for each user. The access device uses the source MAC addresses in
•
packets as the usernames and passwords of users for MAC authentication. This policy is suitable for
an insecure environment.
•
One shared user account for all users. You specify one username and password, which are not
necessarily a MAC address, for all MAC authentication users on the access device. This policy is
suitable for a secure environment.
Authentication approaches
You can perform MAC authentication on the access device (local authentication) or through a RADIUS
server.
Local authentication:
If you configure MAC-based accounts, the access device uses the source MAC address of the
•
packet as the username and password to search its local account database for a match.
•
If you configure a shared account, the access device uses the shared account username and
password to search its local account database for a match.
RADIUS authentication:
If you configure MAC-based accounts, the access device sends the source MAC address as the
•
username and password to the RADIUS server for authentication.
If you configure a shared account, the access device sends the shared account username and
•
password to the RADIUS server for authentication.
For more information about configuring local authentication and RADIUS authentication, see
"Configuring
AAA."
74