7705 SAR Interfaces
166
Interface Configuration Guide
3HE 11011 AAAC TQZZA Edition: 01
3.4 MAC Authentication
The 7705 SAR supports the 802.1x EAP standard for authenticating Ethernet
devices before they can access the network. However, if a client device does not
support 802.1x EAP, MAC authentication can be used to prevent unauthorized traffic
from being transmitted through the 7705 SAR.
802.1x EAP must be enabled for MAC authentication to be used, as MAC
authentication is a fallback mechanism. To authenticate a port using MAC
authentication, 802.1x authentication must first be configured on the 7705 SAR by
enabling port-control auto, and then mac-auth must be configured on the
7705 SAR to enable MAC authentication.
When a port becomes operationally up with MAC authentication enabled, the
following steps are performed by the 7705 SAR (as the authenticator):
1. After transmission of the first EAP-Request/ID PDU, the 7705 SAR starts the
mac-auth-wait timer and begins listening on the port for EAP-Response/ID
PDUs. At this point, the 7705 SAR only listens to EAPOL frames. If EAPOL
frames are received, 802.1x authentication is chosen.
2. If the mac-auth-wait timer expires, and no EAPOL frames have been received,
the 7705 SAR begins listening on the port for any Ethernet frames.
3. If the 7705 SAR receives an Ethernet frame, the 7705 SAR scans the client
source MAC address in the frame and transmits the MAC address to the
configured RADIUS server for comparison against the MAC addresses
configured in its database.
The following attributes are contained in the RADIUS message:
− User-Name – the source MAC address of the client device
− User-Password – the source MAC address of the client device in an
encrypted format
− Service-Type – the type of service that the client has requested; the value
is set to 10 (call-check) for MAC authentication requests
− Calling-Station-Id – the source MAC address of the client device
− NAS-IP-Address – the IP address of the device acting as the authenticator
− NAS-Port – the physical port of the device acting as the authenticator
Note: If it is known that the attached equipment does not support EAP, no mac-auth-wait
can be configured so that MAC authentication can be used as soon as the port is
operationally up.
To Next Page
Loading...
