Configuring MAC authentication
Overview
MAC authentication controls network access by authenticating source MAC addresses on a port. It does
not require client software. A user does not need to input a username and password for network access.
The device initiates a MAC authentication process when it detects an unknown source MAC address on
a MAC authentication enabled port. If the MAC address passes authentication, the user can access
authorized network resources. If the authentication fails, the device marks the MAC address as a silent
MAC address, drops the packet, and starts a quiet timer. The device drops all subsequent packets from
the MAC address within the quiet time. This quiet mechanism avoids repeated authentication during a
short time.
NOTE:
If the MAC address that has failed authentication is a static MAC address or a MAC address that has
passed any security authentication, the device does not mark it as a silent address.
User account policies
MAC authentication supports the following user account policies:
One MAC-based user account for each user. The access device uses the source MAC addresses in
•
packets as the usernames and passwords of users for MAC authentication. This policy is suitable for
an insecure environment.
•
One shared user account for all users. You specify one username and password, which are not
necessarily a MAC address, for all MAC authentication users on the access device. This policy is
suitable for a secure environment.
Authentication approaches
You can perform MAC authentication on the access device (local authentication) or through a Remote
Authentication Dial-In User Service (RADIUS) server.
Suppose a source MAC unknown packet arrives at a MAC authentication enabled port.
In the local authentication approach:
If MAC-based accounts are used, the access device uses the source MAC address of the packet as
•
the username and password to search its local account database for a match.
If a shared account is used, the access device uses the shared account username and password to
•
search its local account database for a match.
In the RADIUS authentication approach:
If MAC-based accounts are used, the access device sends the source MAC address as the
•
username and password to the RADIUS server for authentication.
•
If a shared account is used, the access device sends the shared account username and password
to the RADIUS server for authentication.
103