106
The ACL will filter traffic for this user. You must configure ACL rules for the authorization ACL on the
access device for the ACL assignment feature.
To ensure a successful ACL assignment, make sure the ACL does not contain rules that match
source MAC addresses.
To change the access control criteria for the user, you can use one of the following methods:
• Modify ACL rules on the access device.
• Specify another authorization ACL on the authentication server.
For more information about ACLs, see ACL and QoS Configuration Guide.
User profile assignment
You can specify a user profile in the user account for a MAC authentication user to control the user's
access to network resources. After the user passes MAC authentication, the authentication server
assigns the user profile to the user to filter traffic for this user. The authentication server can be the
local access device or a RADIUS server. In either case, you must configure the user profile on the
access device.
To change the user's access permissions, you can use one of the following methods:
• Modify the user profile configuration on the access device.
• Specify another user profile for the user on the authentication server.
For more information about user profiles, see "Configuring user profiles."
Periodic MAC reauthentication
This feature is available in Release 1121 and later.
Periodic MAC reauthentication tracks the connection status of online users, and updates the
authorization attributes assigned by the RADIUS server. The attributes include the ACL and VLAN.
The device reauthenticates an online MAC authentication user periodically only after it receives
termination action Radius-request from the authentication server for this user. The Session-Timeout
attribute (session timeout period) assigned by the server is the reauthentication interval. To display
the server-assigned Session-Timeout and Termination-Action attributes, use the display
mac-authentication connection command. Support for the server configuration and assignment of
Session-Tmeout and Termination-Action attributes depends on the server model.
When no server is reachable for MAC reauthentication, the device keeps the MAC authentication
users online or logs off the users, depending on the keep-online feature configuration on the device.
For information about the keep-online feature, see "Configuring the keep-online feature."
Configuration prerequisites
Before you configure MAC authentication, complete the following tasks:
1. Configure an ISP domain and specify an AAA method. For more information, see "Configuring
AAA."
ï‚¡ For local authentication, you must also create local user accounts (including usernames
and passwords), and specify the lan-access service for local users.
ï‚¡ For RADIUS authentication, make sure the device and the RADIUS server can reach each
other, and create user accounts on the RADIUS server. If you are using MAC-based
accounts, make sure the username and password for each account are the same as the
MAC address of each MAC authentication user.
To Next Page
Loading...
Need help?
General