Configuring the global MAC authentication password
MAC authentication requires that only a single entry containing the username and password is placed in the user database with the device's MAC address. This creates an opportunity for malicious device spoofing. The global password option configures a common MAC authentication password to use for all MAC authentications sent to the RADIUS server. This makes spoofing more difficult.
It is important that when implementing the global MAC authentication password option, that the user database on the RADIUS server has this password as the password for each device performing MAC authentication.
Syntax:
[no] aaa port-access mac-based password <password-value>
Specifies the global password to be used by all MAC authenticating devices.
The
[no] form of the command disables the feature.
Configuring a global MAC authentication password
Switch(config)#aaa port-access mac-based password secretMAC1
Switch(config)#show port-access mac-based config
Port Access MAC-Based Configuration
MAC Address Format : no-delimiter
Password : secretMAC1
Unauth Redirect Configuration URL :
Unauth Redirect Client Timeout (sec) : 1800
Unauth Redirect Restrictive Filter : Disabled
Total Unauth Redirect Client Count : 0
Client Client Logoff Re-Auth Unauth Auth Cntrl
Port Enabled Limit Moves Period Period VLAN ID VLAN ID Dir
----- ------- ------ ------ ------- ------- ------- ------- -----
1 No 1 No 300 0 0 0 both
2 No 1 No 300 0 0 0 both
3 No 1 No 300 0 0 0 both
4 No 1 No 300 0 0 0 both
5 No 1 No 300 0 0 0 both
6 No 1 No 300 0 0 0 both
7 No 1 No 300 0 0 0 both
8 No 1 No 300 0 0 0 both
The password value will display in an exported config file when
include-credentials is enabled.