740 CHAPTER 52: MAC AUTHENTICATION CONFIGURATION
If the authentication succeeds, the user will be granted permission to access the
network resources.
Local MAC
Authentication
In local MAC authentication, the device performs authentication of users locally
and different items need to be manually configured for users on the device
according to the type of MAC authentication username:
■ If the type of MAC authentication username is MAC address, a local user must
be configured for each user on the device, using the MAC address of the user
as both the username and password.
■ If the type of MAC authentication username is fixed username, a single
username and optionally a single password are required for the device to
authenticate all users.
Related Concepts
MAC Authentication
Timers
The following timers function in the process of MAC authentication:
■ Offline detect timer: At this interval, the device checks to see whether an online
user has gone offline. Once detecting that a user becomes offline, the device
sends to the RADIUS server a stop accounting notice.
■ Quiet timer: Whenever a user fails MAC authentication, the device does not
initiate any MAC authentication of the user during such a period.
■ Server timeout timer: During authentication of a user, if the device receives no
response from the RADIUS server in this period, it assumes that its connection
to the RADIUS server has timed out and forbids the user from accessing the
network.
Quiet MAC Address When a user fails MAC authentication, the MAC address becomes a quiet MAC
address, which means that any packets from the MAC address will be discarded
simply by the device until the quiet timer expires. This prevents the device from
authenticating invalid users repeatedly in a short time.
c
CAUTION: If the quiet MAC is the same as the static MAC configured or an
authentication-passed MAC, then the quiet function is not effective.
VLAN Assigning For separation of users from restricted network resources, a more general way is to
put the users and restricted resources into different VLANs. After a user passes
identity authentication, the authorization server assigns the VLAN where the
restricted resources reside as an authorized VLAN and the port to which the user is
connected will become a member of the authorized VLAN. As a result, the user
can access those restricted network resources.
ACL Assigning ACLs assigned by an authorization server are referred to as authorization ACLs,
which are designed to control access to network resources with a very fine
granularity. When a user logs in, if the RADIUS server is configured with
authorization ACLs, the device will permit or deny data flows traversing through
the port through which the user accesses the device according to the
authorization ACLs assigned by the RADIUS server. You can change access rights
of users by modifying authorization ACL settings on the RADIUS server.
To Next Page
Loading...
