MAC-based authentication (MAC) authenticates a device using the source MAC address of received packets. Two modes are supported for MAC authentication: password and RADIUS username. The MAC authentication mode is set using the set macauthentication auth-mode command.
By default the MAC authentication server uses an administratively configured password to authenticate a user. The default value for the password is “NOPASSWORD”. The administratively configured password is set using the set macauthentication password command.
MAC authentication can be configured to use the RADIUS server configured username credential where the password is the same as the username. The following is an example RADIUS server configuration for MAC address 00-00-22-22-02-01, first with a mask of 48, followed by the address with a mask of 40.
00-00-22-22-02-01 Auth-Type := Local, User-Password == "00-00-22-22-02-01" Service-Type = Framed-User
00-00-22-22-03-00 Auth-Type := Local, User-Password == "00-00-22-22-03-00" Service-Type = Framed-User
In either case, if the authentication server receives valid credentials from the switch, RADIUS returns an Accept message to the switch.
MAC authentication enables switches to authenticate end systems, such as printers and camcorder devices that do not support 802.1x or web authentication. Since MAC-based authentication authenticates the device, not the user, and is subject to MAC address spoofing attacks, it should not be considered a secure authentication method. However, it does provide a level of authentication for a device where otherwise none would be possible.
MAC-based authentication agent accounting is supported and defaults to enabled. RADIUS accounting must be enabled using the set radius accounting command. MAC-based authentication agent accounting can be disabled using the set macauthentication accounting command.