Table of Contents
Advertisement
are dropped during the quiet time. This quiet mechanism prevents repeated authentication from
affecting system performance.
•
Server timeout timer—Sets the interval that the device waits for a response from a RADIUS
server before it regards the RADIUS server unavailable. If the timer expires during MAC
authentication, the user cannot access the network.
Using MAC authentication with other features
VLAN assignment
You can specify a VLAN in the user account for a MAC authentication user to control its access to
network resources. After the user passes MAC authentication, the authentication server, either the
local access device or a RADIUS server, assigns the VLAN to the port as the default VLAN. After the
user logs off, the initial default VLAN, or the default VLAN configured before any VLAN is assigned
by the authentication server, restores. If the authentication server assigns no VLAN, the initial default
VLAN applies.
A hybrid port is always assigned to a server-assigned VLAN as an untagged member. After the
assignment, do not re-configure the port as a tagged member in the VLAN.
If MAC-based VLAN is enabled on a hybrid port, the device maps the server-assigned VLAN to the
MAC address of the user. The default VLAN of the hybrid port does not change.
ACL assignment
You can specify an ACL in the user account for a MAC authentication user to control its access to
network resources. After the user passes MAC authentication, the authentication server, either the
local access device or a RADIUS server, assigns the ACL to the access port to filter the traffic from
this user. You must configure the ACL on the access device for the ACL assignment function. You
can change ACL rules while the user is online.
Auth-Fail VLAN
You can configure an Auth-Fail VLAN on a port to accommodate MAC authentication users that have
failed MAC authentication on the port. Users in the Auth-Fail VLAN can access a limited set of
network resources, such as a software server, to download anti-virus software and system patches.
If no MAC Auth-Fail VLAN is configured, the user that fails MAC authentication cannot access any
network resources.
If a user in the Auth-Fail VLAN passes MAC authentication, it is removed from the Auth-Fail VLAN
and can access all authorized network resources. If not, the user is still in the Auth-Fail VLAN.
A hybrid port is always assigned to an Auth-Fail VLAN as an untagged member. After the assignment,
do not re-configure the port as a tagged member in the VLAN.
Configuration prerequisites
Before you configure MAC authentication, complete the following tasks:
Configure an ISP domain and specify an AAA method. For more information, see
1.
AAA."
For local authentication, you must also create local user accounts (including usernames
and passwords), and specify the lan-access service for local users.
For RADIUS authentication, make sure the device and the RADIUS server can reach each
other, and create user accounts on the RADIUS server. If you are using MAC-based
344
"Configuring
Hide quick links:
Advertisement
Table of Contents
