Local MAC Authentication
In local MAC authentication, the device performs authentication of users locally and different items
need to be manually configured for users on the device according to the specified type of username:
If the type of username is MAC address, a local user must be configured for each user on the
device, using the MAC address of the accessing user as both the username and password.
If the type of username is fixed username, a single username and optionally a single password are
required for the device to authenticate all users.
MAC Authentication Timers
The following timers function in the process of MAC authentication:
Offline detect timer: At this interval, the device checks to see whether there is traffic from a user.
Once detecting that there is no traffic from a user within this interval, the device logs the user out
and sends to the RADIUS server a stop accounting request.
Quiet timer: Whenever a user fails MAC authentication, the device does not perform MAC
authentication of the user during such a period.
Server timeout timer: During authentication of a user, if the device receives no response from the
RADIUS server in this period, it assumes that its connection to the RADIUS server has timed out
and forbids the user to access the network.
Quiet MAC Address
When a user fails MAC authentication, the MAC address becomes a quiet MAC address, which means
that any packets from the MAC address will be discarded silently by the device until the quiet timer
expires. This prevents the device from authenticating an illegal user repeatedly in a short time.
If a quiet MAC address is the same as a static MAC address configured or an MAC address that has
passed another type of authentication, the quiet function does not take effect.
For separation of users from restricted network resources, users and restricted resources are usually
put into different VLANs. After a user passes identity authentication, the authorization server assigns to
the user the VLAN where the restricted resources reside as an authorized VLAN, and the port through
which the user accesses the device will be assigned to the authorized VLAN. As a result, the user can
access those restricted network resources.
Guest VLAN of MAC Authentication
Guest VLAN allows unauthenticated users to access a specified VLAN, where the users can, for
example, download or upgrade the client software, or execute some user upgrade programs. This
VLAN is called the guest VLAN.