97
ACL assignment
You can specify an ACL in the user account for a MAC authentication user to control its access to network
resources. After the user passes MAC authentication, the authentication server, either the local access
device or a RADIUS server, assigns the ACL to the access port to filter the traffic from this user. You must
configure the ACL on the access device for the ACL assignment function. You can change ACL rules when
the user is online.
Guest VLAN
You can configure a guest VLAN to accommodate MAC authentication users that have failed MAC
authentication on the port. Users in the MAC authentication guest VLAN can access a limited set of
network resources, such as a software server, to download anti-virus software and system patches. If no
MAC authentication guest VLAN is configured, the user that fails MAC authentication cannot access any
network resources.
If a user in the guest VLAN passes MAC authentication, it is removed from the guest VLAN and can
access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN.
NOTE:
hybrid port is always assigned to a guest VLAN as an untagged member. After the assi
nment, do no
re-configure the port as a tagged member in the VLAN.
Critical VLAN
You can configure a MAC authentication critical VLAN on a port to accommodate users that fail MAC
authentication because no RADIUS authentication server is reachable. Users in a MAC authentication
critical VLAN can access a limit set of network resources depending on your configuration.
The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS
servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user is
not assigned to the critical VLAN. For more information about RADIUS authentication, see the chapter
"AAA configuration."
Any of the following RADIUS authentication server changes in the ISP domain for MAC authentication
users on a port can cause users to be removed from the critical VLAN:
• An authentication server is added to the ISP domain and the server is reachable.
• A response from a RADIUS authentication server is received.
• The RADIUS server probing function detects that a RADIUS authentication server is reachable.
MAC authentication configuration task list
Perform these tasks to configure MAC authentication:
Task Remarks
Basic configuration for MAC
authentication
Configuring MAC authentication
globally
Required
Configuring MAC authentication
on a port
To Next Page
Loading...
