Table of Contents
Advertisement
Configuring MAC authentication
Overview
MAC authentication controls network access by authenticating source MAC addresses on a port. It
does not require client software. A user does not need to enter a username and password for
network access. The device initiates a MAC authentication process when it detects an unknown
source MAC address on a MAC authentication enabled port. If the MAC address passes
authentication, the user can access authorized network resources. If the authentication fails, the
device marks the MAC address as a silent MAC address, drops the packet, and starts a quiet timer.
The device drops all subsequent packets from the MAC address within the quiet time. This quiet
mechanism avoids repeated authentication during a short time.
If the MAC address that has failed authentication is a static MAC address or a MAC address that has
passed any security authentication, the device does not mark the MAC address as a silent address.
User account policies
MAC authentication supports the following user account policies:
•
One MAC-based user account for each user—The access device uses the source MAC
addresses in packets as the usernames and passwords of users for MAC authentication. This
policy is suitable for an insecure environment.
•
One shared user account for all users—You specify one username and password, which are
not necessarily a MAC address, for all MAC authentication users on the access device. This
policy is suitable for a secure environment.
Authentication methods
You can perform MAC authentication on the access device (local authentication) or through a
RADIUS server.
Local authentication:
•
If you configure MAC-based accounts, the access device uses the source MAC address of the
packet as the username and password to search its local account database for a match.
•
If you configure a shared account, the access device uses the shared account username and
password to search its local account database for a match.
RADIUS authentication:
•
If you configure MAC-based accounts, the access device sends the source MAC address as
the username and password to the RADIUS server for authentication.
•
If you configure a shared account, the access device sends the shared account username and
password to the RADIUS server for authentication.
MAC authentication timers
MAC authentication uses the following timers:
•
Offline detect timer—Sets the interval that the device waits for traffic from a user before it
regards the user idle. If a user connection has been idle for two consecutive intervals, the
device logs the user out and stops accounting for the user.
•
Quiet timer—Sets the interval that the device must wait before it can perform MAC
authentication for a user that has failed MAC authentication. All packets from the MAC address
343
Hide quick links:
Advertisement
Table of Contents
