In the local authentication approach:
•
If MAC-based accounts are used, the access device uses the source MAC address of the packet as
the username and password to search its local account database for a match.
If a shared account is used, the access device uses the shared account username and password to
•
search its local account database for a match.
In the RADIUS authentication approach:
If MAC-based accounts are used, the access device sends the source MAC address as the
•
username and password to the RADIUS server for authentication.
If a shared account is used, the access device sends the shared account username and password
•
to the RADIUS server for authentication.
For more information about configuring local authentication and RADIUS authentication, see the chapter
"AAA configuration."
MAC authentication timers
MAC authentication uses the following timers:
Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards
•
the user idle. If a user connection has been idle for two consecutive intervals, the device logs the
user out and stops accounting for the user.
Quiet timer—Sets the interval that the device must wait before it can perform MAC authentication
•
for a user that has failed MAC authentication. All packets from the MAC address are dropped
during the quiet time. This quiet mechanism prevents repeated authentication from affecting system
performance.
Server timeout timer—Sets the interval that the access device waits for a response from a RADIUS
•
server before it regards the RADIUS server unavailable. If the timer expires during MAC
authentication, the user cannot access the network.
Using MAC authentication with other features
VLAN assignment
You can specify a VLAN in the user account for a MAC authentication user to control its access to
network resources. After the user passes MAC authentication, the authentication server, either the local
access device or a RADIUS server, assigns the VLAN to the port as the default VLAN. After the user logs
off, the initial default VLAN, or the default VLAN configured before any VLAN is assigned by the
authentication server, restores. If the authentication server assigns no VLAN, the initial default VLAN
applies.
NOTE:
A hybrid port is always assigned to a server-assigned VLAN as an untagged member. After the
•
assignment, do not re-configure the port as a tagged member in the VLAN.
If the port is a hybrid port with MAC-based VLAN enabled, the device maps the MAC address of each
•
user to the VLAN assigned by the authentication server. The default VLAN of the port does not change.
When a user logs off, the MAC-to-VLAN mapping for the user is removed.
96