Login
- Table of Contents
-
- 10-Security
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-802.1X client configuration
- 04-MAC authentication configuration
- 05-Portal configuration
- 06-User profile configuration
- 07-Password control configuration
- 08-Public key management
- 09-PKI configuration
- 10-IPsec configuration
- 11-SSH configuration
- 12-SSL configuration
- 13-Session management
- 14-Connection limit configuration
- 15-Attack detection and prevention configuration
- 16-IP source guard configuration
- 17-ARP attack protection configuration
- 18-ND attack defense configuration
- 19-User isolation configuration
- 20-ASPF configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-MAC authentication configuration | 54.18 KB |
Contents
Configuring MAC authentication
Command and hardware compatibility
Specifying a MAC authentication domain
Configuring the user account format
Configuring MAC authentication server timeout timer
Displaying and maintaining MAC authentication
Configuring MAC authentication
Overview
MAC authentication controls network access by authenticating source MAC addresses on a service template. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled service template. If the MAC address passes authentication, the user can access authorized network resources. If the authentication fails, the device marks the MAC address as a silent MAC address, drops the packet, and starts a quiet timer. The device drops all subsequent packets from the MAC address within the quiet time. The quiet mechanism avoids repeated authentication during a short time.
|
|
NOTE: If the MAC address that has failed authentication is a static MAC address or a MAC address that has passed any security authentication, the device does not mark the MAC address as a silent address. |
User account policies
MAC authentication supports the following user account policies:
· One MAC-based user account for each user. The access device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication. This policy is suitable for an insecure environment.
· One shared user account for all users. You specify one username and password, which are not necessarily a MAC address, for all MAC authentication users on the access device. This policy is suitable for a secure environment.
Authentication methods
You can perform MAC authentication on the access device (local authentication) or through a RADIUS server.
Local authentication:
· MAC-based accounts—The access device uses the source MAC address of the packet as the username and password to search the local account database for a match.
· A shared account—The access device uses the shared account username and password to search the local account database for a match.
RADIUS authentication:
· MAC-based accounts—The access device sends the source MAC address of the packet as the username and password to the RADIUS server for authentication.
· A shared account—The access device sends the shared account username and password to the RADIUS server for authentication.
For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA."
VLAN assignment
For information about MAC authentication VLAN assignment, see WLAN authentication in WLAN Configuration Guide.
Periodic MAC reauthentication
Periodic MAC reauthentication tracks the connection status of online users and updates the authorization attributes assigned by the RADIUS server. The attributes include the ACL and VLAN.
The device reauthenticates an online MAC authentication user periodically only after it receives the termination action Radius-request from the authentication server for this user. The Session-Timeout attribute (session timeout period) assigned by the server is the reauthentication interval. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display mac-authentication connection command. Support for the server configuration and assignment of Session-Timeout and Termination-Action attributes depends on the server model.
Command and hardware compatibility
The WX1800H series, WX2500H series, and WX3000H series access controllers do not support the slot keyword or the slot-number argument.
Configuration prerequisites
Before you configure MAC authentication, configure an ISP domain and specify an AAA method. For more information, see "Configuring AAA."
· For local authentication, you must also create local user accounts (including usernames and passwords) and specify the lan-access service for local users.
· For RADIUS authentication, make sure the device and the RADIUS server can reach each other and create user accounts on the RADIUS server. If you are using MAC-based accounts, make sure the username and password for each account are the same as the MAC address of each MAC authentication user.
Configuration task list
|
Tasks at a glance |
|
(Optional.) Specifying a MAC authentication domain |
|
(Optional.) Configuring the user account format |
|
(Optional.) Configuring MAC authentication server timeout timer |
Specifying a MAC authentication domain
By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can use one of the following methods to specify authentication domains for MAC authentication users:
· Specify a global authentication domain in system view. This domain setting applies to all service templates enabled with MAC authentication.
· Specify an authentication domain for an individual service template in service template view.
MAC authentication chooses an authentication domain for users on a service template in this order: the service template-specific domain, the global domain, and the default domain. For more information about authentication domains, see "Configuring AAA."
To specify an authentication domain for MAC authentication users:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify an authentication domain for MAC authentication users. |
· In system view: · In service template view: a. wlan service-template service-template-name b. mac-authentication domain domain-name |
By default, the system default authentication domain is used for MAC authentication users. |
Configuring the user account format
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the MAC authentication user account format. |
· Use one MAC-based user account for each user: · Use one shared user account for all
users: |
By default, the device uses the MAC address of a user as the username and password for MAC authentication. The MAC address is in six-section format, and letters are in lower case. |
Configuring MAC authentication server timeout timer
MAC authentication uses the server timeout timer to set the interval that the device waits for a response from a RADIUS server before the device regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network.
To configure the MAC authentication server timeout timer:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the MAC authentication server timeout timer. |
mac-authentication timer server-timeout server-timeout-value |
By default, the server timeout timer is 100 seconds. |
Displaying and maintaining MAC authentication
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display MAC authentication information. |
display mac-authentication [ ap ap-name [ radio radio-id ] ] |
|
Display MAC authentication connections. |
display mac-authentication connection [ ap ap-name [ radio radio-id ] | slot slot-number | user-mac mac-address | user-name user-name ] |
|
Clear MAC authentication statistics. |
reset mac-authentication statistics [ ap ap-name [ radio radio-id ] ] |
