MAC-based authentication is used for supplicants that do not support a network login mode, or supplicants that are not aware of the existence of such security measure (for example, an IP phone).
If a MAC address is detected on a MAC-based enabled network login port, an authentication request is sent once to the AAA application. AAA tries to authenticate the MAC address against the configured RADIUS (Remote Authentication Dial In User Service) server and its configured parameters (timeout, retries, and so on) or the local database.
In a MAC-based authentication environment, the authentication verification is done only after at MAC address detection. However, forced re-authentication is allowed through the Session-Timeout VSA when supplied along with Termination-Action attribute “RADIUS-Request” by RADIUS. When this VSA with Termination-Action attribute “RADIUS-Request” is present the switch, re-authenticates the client based on the value supplied by the VSA. If no VSA is present, there is no re-authentication. If Session-Timeout VSA is supplied and no Termination-Action attribute or “Default” Termination-Action attribute is specified, the client is unauthenticated. You can also force re-authentication by configuring the MAC re-authentication timers using the CLI (see Configuring Reauthentication Period). If MAC re-authentication timers are configured using the CLI and RADIUS sends a different session timeout value, the RADIUS session timeout has higher precedence.
The credentials used for this are the supplicant's MAC address in ASCII representation, and a locally configured password on the switch. If no password is configured, the MAC address is used as the password. You can also group MAC addresses together using a mask.
You can configure a MAC list or a table of MAC entries to filter and authenticate clients based on their MAC addresses. If a match is found in the table of MAC entries, authentication occurs. If no match is found in the table of MAC entries, and a default entry exists, the default will be used to authenticate the client. All entries in the list are automatically sorted in longest prefix order. All passwords are stored and showed encrypted.
You can associate a MAC address with one or more ports. By learning a MAC address, the port confirms the supplicant before sending an authorization request to the RADIUS server. This additional step protects your network against unauthorized supplicants because the port accepts only authorization requests from the MAC address learned on that port. The port blocks all other requests that do not have a matching entry.
Note
When ONEPolicy is enabled and authentication required mode is configured with a static macsource rule applied, even if a MAC address fails authentication, traffic is forwarded.Note
With ONEPolicy enabled, admin-profile port rule configured, and authentication required mode set, traffic is not forwarded by the admin profile VLAN when MAC authentication fails.