Login
- Table of Contents
-
- 06-Network
- 01-Scanner
- 02-VRF
- 03-Interface
- 04-Interface pairs
- 05-Interface collaboration
- 06-Security zones
- 07-VLAN
- 08-MAC
- 09-DNS
- 10-ARP
- 11-ND
- 12-Forwarding advanced settings
- 13-Routing table
- 14-Static routing
- 15-Policy-based routing
- 16-OSPF
- 17-RIP
- 18-HTTP
- 19-SSH
- 20-NTP
- 21-FTP
- 22-Telnet
- 23-MAC authentication
- 24-MAC address whitelist
- 25-MAC access silent MAC info
- 26-MAC access advanced settings
- 27-IP authentication
- 28-IPv4 whitelist
- 29-IPv6 whitelist
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 23-MAC authentication | 28.85 KB |
MAC authentication
Introduction
MAC authentication controls network access by authenticating source MAC addresses on an interface. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled interface.
Restrictions and guidelines
Restrictions and guidelines: Guest VLAN
Before you configure the MAC authentication guest VLAN on an interface, complete the following tasks:
· Create the VLAN to be specified as the MAC authentication guest VLAN.
· Configure the link type of the interface as hybrid, and configure the VLAN as an untagged member on the interface.
· Enable MAC-based VLAN on the interface.
When you configure the MAC authentication guest VLAN on an interface, follow the guidelines in Table 1.
Table 1 Relationships of the MAC authentication guest VLAN with other security features
|
Feature |
Relationship description |
|
Quiet feature of MAC authentication |
The MAC authentication guest VLAN feature has higher priority. When a user fails MAC authentication, the user can access the resources in the guest VLAN. The user's MAC address is not marked as a silent MAC address. |
|
Super VLAN |
You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN. |
|
Port security intrusion protection |
The guest VLAN feature has higher priority than the block MAC action but lower priority than the shutdown action of the port security intrusion protection feature. |
Restrictions and guidelines: Critical VLAN
Before you configure the MAC authentication critical VLAN on an interface, complete the following tasks:
· Create the VLAN to be specified as the MAC authentication critical VLAN.
· Configure the link type of the interface as hybrid, and configure the VLAN as an untagged member on the interface.
· Enable MAC-based VLAN on the interface.
When you configure the MAC authentication critical VLAN on an interface, follow the guidelines in Table 2.
Table 2 Relationships of the MAC authentication critical VLAN with other security features
|
Feature |
Relationship description |
|
Quiet feature of MAC authentication |
The MAC authentication critical VLAN feature has higher priority. When a user fails MAC authentication because no RADIUS authentication server is reachable, the user can access the resources in the critical VLAN. The user's MAC address is not marked as a silent MAC address. |
|
Super VLAN |
You cannot specify a VLAN as both a super VLAN and a MAC authentication critical VLAN. |
|
Port security intrusion protection |
The critical VLAN feature has higher priority than the block MAC action but lower priority than the shutdown action of the port security intrusion protection feature. |
Configure MAC authentication
1. Click the Network tab.
2. In the navigation pane, select Security Access > MAC Access > MAC Authentication.
3. Select Enable to enable global MAC authentication.
4. Select Enable interface-specific MAC authentication to enable MAC authentication for the target interface.
5. Click Edit for the target interface to enter the Edit MAC Authentication page.
6. Configure the MAC authentication parameters.
Table 3 MAC authentication configuration items
|
Item |
Description |
|
Authentication delay |
Set the MAC authentication delay time. If you do not set a delay time, MAC authentication delay is disabled. |
|
VLAN mode |
Select a VLAN mode for the interface, which can be single-VLAN mode or multi-VLAN mode. |
|
Guest VLAN |
Specify a guest VLAN to accommodate users that have failed MAC authentication. |
|
Critical VLAN |
Specify a critical VLAN to accommodate users that have failed MAC authentication because of server unreachable. |
|
Authentication ISP domain |
Specify an authentication ISP domain for users that access the interface. |
|
Max online users |
Set the maximum number of concurrent MAC authentication users allowed to access the interface. |
|
Server unreachable for reauthentication |
Select whether to log off users or allow users to stay online if no server is reachable for reauthentication of the users. |
7. Click OK.
