MAC-based authentication
When a client connects to a MAC authentication
enabled port traffic is blocked. The switch immediately submits the
client's MAC address (in the format specified by the addr-format
)
as its certification credentials to the RADIUS server for authentication.
If the client is authenticated and the maximum
number of MAC addresses allowed on the port (addr-limit
)
has not been reached, the port is assigned to a static, untagged VLAN
for network access.
The assigned VLAN is determined, in order of priority, as follows:
- If there is a RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to this VLAN and temporarily drops all other VLAN memberships.
- If there is no RADIUS-assigned VLAN, then, for the duration of the client session, the port belongs to the authorized VLAN (if configured) and temporarily drops all other VLAN memberships.
- If neither 1 or 2, above, apply, but the port is an untagged member of a statically configured, port-based VLAN, then the port remains in this VLAN.
- If neither 1, 2, or 3, above, apply, then the client session does not have access to any statically configured, untagged VLANs and client access is blocked.
The assigned port VLAN remains in place until
the session ends. Clients may be forced to reauthenticate after a
fixed period of time (reauth-period
) or at any
time during a session (reauthenticate
). An implicit
logoff period can be set if there is no activity from the client after
a given amount of time (logoff-period
). In addition,
a session ends if the link on the port is lost, requiring reauthentication
of all clients. Also, if a client moves from one port to another and
client moves have not been enabled (addr-moves
)
on the ports, the session ends and the client must reauthenticate
for network access. At the end of the session the port returns to
its pre-authentication state. Any changes to the port’s VLAN memberships
made while it is an authenticated port take affect at the end of the
session.
A client may not be authenticated due to invalid
credentials or a RADIUS server timeout. The server-timeout
parameter
sets how long the switch waits to receive a response from the RADIUS
server before timing out. The maxrequests
parameter
specifies how many authentication attempts may result in a RADIUS
server timeout before authentication fails. The switch waits a specified
amount of time (quiet-period
) before processing
any new authentication requests from the client.
Network administrators may assign unauthenticated
clients to a specific static, untagged VLAN (unauth-vid
),
to provide access to specific (guest) network resources. If no VLAN
is assigned to unauthenticated clients the port remains in its original
VLAN configuration. Should another client successfully authenticate
through that port any unauthenticated clients are dropped from the
port.