For more information about configuring local authentication and RADIUS authentication, see
"Configuring
MAC authentication timers
MAC authentication uses the following timers:
Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards
•
the user idle. If a user connection has been idle for two consecutive intervals, the device logs the
user out and stops accounting for the user.
•
Quiet timer—Sets the interval that the device must wait before it can perform MAC authentication
for a user that has failed MAC authentication. All packets from the MAC address are dropped
during the quiet time. This quiet mechanism prevents repeated authentication from affecting system
performance.
Server timeout timer—Sets the interval that the access device waits for a response from a RADIUS
•
server before it regards the RADIUS server unavailable. If the timer expires during MAC
authentication, the user cannot access the network.
Using MAC authentication with other features
VLAN assignment
You can specify a VLAN in the user account for a MAC authentication user to control the account's
access to network resources. After the user passes MAC authentication, the authentication server, either
the local access device or a RADIUS server, assigns the VLAN to the port as the default VLAN. After the
user logs off, the initial default VLAN, or the default VLAN configured before any VLAN is assigned by
the authentication server, restores. If the authentication server assigns no VLAN, the initial default VLAN
applies.
A hybrid port is always assigned to a server-assigned VLAN as an untagged member. After the
assignment, do not re-configure the port as a tagged member in the VLAN.
If MAC-based VLAN is enabled on a hybrid port, the device maps the server-assigned VLAN to the MAC
address of the user. The default VLAN of the hybrid port does not change.
ACL assignment
You can specify an ACL in the user account for a MAC authentication user to control its access to network
resources. After the user passes MAC authentication, the authentication server, either the local access
device or a RADIUS server, assigns the ACL to the access port to filter the traffic from this user. You must
configure the ACL on the access device for the ACL assignment function. You can change ACL rules while
the user is online.
Configuration task list
Task
Basic configuration for MAC
authentication
AAA"
Configuring MAC authentication globally
Configuring MAC authentication on a port
104
Remarks
Required
Required