MAC-Based Authentication

MAC-based authentication is used for supplicants that do not support a network login mode, or supplicants that are not aware of the existence of such security measure (for example, an IP phone).

If a MAC address is detected on a MAC-based enabled network login port, an authentication request is sent once to the AAA application. AAA tries to authenticate the MAC address against the configured RADIUS (Remote Authentication Dial In User Service) server and its configured parameters (timeout, retries, and so on) or the local database.

In a MAC-based authentication environment, the authentication verification is done only after at MAC address detection. However, forced reauthentication is allowed through the Session-Timeout VSA supplied by RADIUS. When this VSA is present the switch re-authenticates the client based on the value supplied by the VSA. If no VSA is present, there is no re-authentication. You can also force reauthentication by configuring the MAC reauthentication timers using the CLI (see Configuring Reauthentication Period). If MAC reauthentication timers are configured uing the CLI and RADIUS sends a different session timeout value, the RADIUS session timeout has higher precedence.

The credentials used for this are the supplicant's MAC address in ASCII representation, and a locally configured password on the switch. If no password is configured, the MAC address is used as the password. You can also group MAC addresses together using a mask.

You can configure a MAC list or a table of MAC entries to filter and authenticate clients based on their MAC addresses. If a match is found in the table of MAC entries, authentication occurs. If no match is found in the table of MAC entries, and a default entry exists, the default will be used to authenticate the client. All entries in the list are automatically sorted in longest prefix order. All passwords are stored and showed encrypted.

You can associate a MAC address with one or more ports. By learning a MAC address, the port confirms the supplicant before sending an authorization request to the RADIUS server. This additional step protects your network against unauthorized supplicants because the port accepts only authorization requests from the MAC address learned on that port. The port blocks all other requests that do not have a matching entry.

Note

Note

When ONEPolicy is enabled and authentication required mode is configured with a static macsource rule applied, even if a MAC address fails authentication, traffic is forwarded.
Note

Note

With ONEPolicy enabled, admin-profile port rule configured, and authentication required mode set, traffic is not forwarded by the admin profile VLAN when MAC authentication fails.