MAC-Based Authentication

MAC-based authentication enables network access to be restricted to specific devices identified by a MAC address.

A RADIUS server is required for MAC-based authentication. Each device that is to be authenticated by MAC-based authentication must have an entry in the RADIUS server database. The user ID of the entry is the device's MAC address. The password of the entry is either a fixed password shared by all devices using the network or the device's MAC address. You must configure ExtremeCloud so that it knows whether to use the device's MAC address as its password or a password that is used with all devices undergoing MAC authentication.

To set up a RADIUS server for MAC-based authentication, you must set up a user account with user ID=MAC and Password=MAC (or a password defined by the administrator) for each user. Specifying a MAC address format and role depends on which RADIUS server is being used.

MAC-based authentication can be used on its own, or in conjunction with either WPA-PSK or external captive portal. When MAC-based authentication is used with external captive portal, the RADIUS server typically needs to have a second user ID and password configured for use by the client while authenticating to the captive portal.

The RADIUS server can respond to a request for MAC-based authentication by returning the name of a policy that it wants applied to the supplicant client's traffic. The name must be the name of a policy defined in ExtremeCloud and deployed to the AP that is performing authentication.

By itself, MAC-based authentication does not provide privacy (encryption between AP and client device). However, it can be used with WPAv2-PSK and WPAv2 Enterprise, which do provide privacy.