MAC-trigger authentication
This help contains the following topics:
Introduction
Portal authentication controls user access to networks by authenticating user identities. Web-based portal authentication allows users to perform authentication through a Web browser without installing client software. Users input username and password on a Web page. The device authenticates the user identities, and controls user access to the network according to the authentication result.
MAC-trigger authentication
MAC-trigger authentication is also called MAC-based quick portal authentication. In portal authentication scenarios where users access the network frequently, this feature allows users to pass portal authentication without entering a username and password.
A MAC binding server is required for MAC-trigger authentication. The MAC binding server records the MAC-to-account bindings of portal users for authentication. The account contains the portal authentication information of the user, including username and password. The MAC binding server checks whether the MAC address of the user is bound with a portal user account:
If a matching MAC-account binding exists, the MAC binding server sends the user authentication information to the access device to initiate portal authentication. The user is authenticated without entering the username and password. If the user fails the portal authentication, an authentication failure message is returned to the user. The access device ages out the MAC-trigger entry of the user and performs MAC-trigger authentication again.
If a matching MAC-account binding exists. MAC binding server sends the user to the access device to initiate portal authentication. The user is authenticated without entering the username and password. If the user fails the portal authentication, an authentication failure message is returned to the user. The whole process is finished. If the user passes the portal authentication, the access device sends the user's MAC address and authentication information to the MAC binding server for MAC-account binding. When the same user accesses the network again, the MAC binding server can use the saved authentication information to complete the authentication on behalf of the user.
Restrictions and guidelines
Only IPv4 direct authentication supports MAC-based quick portal authentication.
Configuration guide
Analysis
Configure MAC-trigger authentication as shown in the following figure:
Basic configuration
Add a MAC binding server
From the left navigation pane, select Configure > Authentication > Authentication Global Settings > Portal Authentication. Click the MAC-Trigger tab.
Click Add above the MAC binding server list. On the page that opens, add a MAC binding server:
Server Name: Enter the name of the MAC binding server, a string of 1 to 32 characters.
Type: Select the MAC binding server type. The default type is Remote. If you select the Remote type, you must also configure the following parameters:
IP Address: Enter the IP address of the MAC binding server.
Port: Enter the UDP port number the MAC binding server uses to listen for MAC binding query packets. The value range for the port number 1 to 65534. The default port number is 50100.
Service Type: Select the service type for the MAC binding server. The default type is iMC.
Key: Enter the key for the MAC binding server.
Confirm Password: Enter the same key for the MAC binding server.
Click Submit.
Manage MAC binding servers
From the left navigation pane, select Configure > Authentication > Authentication Global Settings > Portal Authentication. Click the MAC-Trigger tab.
You can perform the following management operations on existing MAC binding servers:
To refresh the MAC binding server list, click Refresh.
To delete MAC binding servers in bulk, select the MAC binding servers you want to delete, and then click Bulk Operation > Bulk Delete.
To import MAC binding servers from a local MAC binding server configuration file, click More > Import.
To export MAC binding servers to a local configuration file, click More > Export.
To edit a MAC binding server, click the Edit icon in the Actions column for that server.
To delete a MAC binding server, click the Delete icon in the Actions column for that server.
Advanced configuration
Configure remote MAC-Trigger parameters
From the left navigation pane, select Configure > Authentication > Authentication Global Settings > Portal Authentication. Click the MAC-Trigger tab.
In the Advanced configuration area, configure remote MAC-Trigger parameters as needed.
Table-1 Remote MAC-Trigger parameters
Parameter
Description
Maximum Number of MAC Queries Initiated by the Device
If the number of times the device initiates queries to the MAC binding server has reached the upper limit and no response is received, the device will consider the server unreachable. The device will then initiate standard portal authentication, which requires the user to enter a username and password on the authentication page.
Interval for Device-Initiated MAC Queries
Interval at which the device periodically initiates MAC queries to the MAC binding server to ensure that the server is reachable.
Unauthenticated Traffic Threshold
With the MAC-Trigger feature enabled on the device, the user receives a certain amount of authentication-free traffic upon first network connection. The device monitors portal user traffic in real time before the MAC-Trigger table entry expires. User authentication is not required until user traffic reaches the specified threshold. If this threshold is reached, MAC-Trigger authentication is triggered.
NAS-Port-Type Attribute
When the device communicates with the MAC binding server of a specific vendor, it uses the NAS-Port-Type attribute in the RADIUS message to indicate whether the authentication process is a MAC address-based fast authentication or a standard portal authentication.
Portal Protocol Message Version Number
Make sure the version of the portal protocol messages configured is consistent with the portal protocol version required by the MAC binding server.
Timeout for the Device to Wait for Portal Authentication Completion After Receiving the Server Query Message
Upon receiving a query response from the MAC binding server, the device starts a timer to record the user portal authentication time regardless of the query result. If the timer expires, the device will immediately delete the user MAC-Trigger table entry.
MAC-Trigger Entry Aging Time
With the MAC-Trigger feature enabled, the device generates a MAC-Trigger table entry upon detecting traffic of a user that comes online for the first time. This entry records the user's MAC address, interface index, VLAN ID, traffic, and timer information.
If a MAC-Trigger table entry reaches the specified aging time, it will be deleted. When the device detects traffic from the same user again, it will re-establish the MAC-Trigger table entry for the user.
AAA Authentication Failure Device Directly Initiates Portal Authentication
With this feature enabled, the device will set the MAC-Trigger table entry to unbound state upon receiving the authentication failure message when a user performs MAC-Trigger authentication and AAA authentication fails. The device will then initiate a normal portal authentication for the unbound user without querying the MAC binding server for binding status.
Click Submit.