Mac-Based Authentication - Extreme Networks ExtremeWare XOS Guide Manual

Network Login
The URL description (optional)
■
The port is moved to the permanent VLAN.
●
You can verify this using the
command, see
After a successful login has been achieved, there are several ways that a port can return to a non-
authenticated, non-forwarding state:
The user successfully logs out using the logout web browser window.
●
The link from the user to the switch's port is lost.
●
There is no activity on the port for 20 minutes.
●
An administrator changes the port state.
●
NOTE
Because network login is sensitive to state changes during the authentication process, Extreme Networks
recommends that you do not log out until the login process is complete. The login process is complete when you
receive a permanent address.

MAC-Based Authentication

MAC-based authentication is used for supplicants that do not support a network login mode, or
supplicants that are not aware of the existence of such security measure, for example an IP phone.
If a MAC address is detected on a MAC-Based enabled netlogin port, an authentication request will be
sent once to the AAA application. AAA tries to authenticate the MAC address against the configured
radius server and its configured parameters (timeout, retries, and so on) or the local database.
The credentials used for this are the supplicants MAC address in ASCII representation, and a locally
configured password on the switch. If no password is configured, the MAC address is used as the
password. You can also group MAC addresses together using a mask.
You can configure a MAC list or a table of MAC entries to filter and authenticate clients based on their
MAC addresses. If there a match is found in the table of MAC entries, authentication occurs. If no
match is found in the table of MAC entries, and a default entry exists, the default will be used to
authenticate the client. All entries in the list are automatically sorted in longest prefix order. All
passwords are stored and showed encrypted.
Beginning with ExtremeWare XOS 11.3, you can associate a MAC address with one or more ports. By
learning a MAC address, the port confirms the supplicant before sending an authorization request to
the RADIUS server. This additional step protects your network against unauthorized supplicants
because the port accepts only authorization requests from the MAC address learned on that port. The
port blocks all other requests that do not have a matching entry.
This section describes the following topics:
Enabling and Disabling MAC-Based Network Login on page 369
●
Associating a MAC Address to a Specific Port on page 369
●
Adding and Deleting MAC Addresses on page 369
●
Displaying the MAC Address List on page 370
●
368
show vlan
"Displaying VLAN Settings" on page
command. For more information on the
230.
show vlan
ExtremeWare XOS 11.3 Concepts Guide