406
If a user in the Auth-Fail VLAN passes MAC authentication, it is removed from the Auth-Fail VLAN and
can access all authorized network resources. If not, the user is still in the Auth-Fail VLAN.
A hybrid port is always assigned to an Auth-Fail VLAN as an untagged member. After the assignment,
do not re-configure the port as a tagged member in the VLAN.
Configuration prerequisites
Before you configure MAC authentication, complete the following tasks:
1. Configure an ISP domain and specify an AAA method. For more information, see "Configuring
AAA."
{ For local authentication, you must also create local user accounts (including usernames and
passwords), and specify the lan-access service for local users.
{ For RADIUS authentication, make sure the device and the RADIUS server can reach each other,
and create user accounts on the RADIUS server. If you are using MAC-based accounts, make
sure the username and password for each account are the same as the MAC address of each
MAC authentication user.
2. Make sure the port security feature is disabled. For more information about port security, see
"Configuring port security."
Recommended configuration procedure
Ste
1. Configuring MAC authentication globally
Required.
This function enables MAC authentication globally and
configures the advanced parameters.
By default, MAC authentication is disabled globally.
2. Configuring MAC authentication on a port
Required.
This function enables MAC authentication on a port.
MAC authentication can take effect on a port only when it is
enabled globally and on the port. You can configure MAC
authentication on ports first.
By default, MAC authentication is disabled on a port.
Configuring MAC authentication globally
1. From the navigation tree, select Authentication > MAC Authentication.
2. In the MAC Authentication Configuration area, click Advanced.