Operating notes
All existing devices being authenticated with client-based MAC authentication can still be authenticated as usual, until a device with port-based policy is authenticated.
A client being authenticated through MAC authentication with a port-based policy will have the connected authenticator port open to all clients without the need of separate authentication.
- The enhanced MAC authentication will still be able to coexist with web authentication and 802.1X authentication in switch configuration. However it will introduce new dynamic behavior, as defined below:
- When a client is authenticated by MAC Authentication with port-based policy.
If 802.1X authentication is in the client-based mode, all 802.1X clients are removed. With MAC Authentication, only the MAC authenticated client will be accepted and the port will be open.
If 802.1X is in port-based mode, the port is open to all. The ACCESS-ACCEPT (server) for the MAC Authentication client will be rejected with an expectation that the following packets from the client can go through because the port has been opened by 802.1X.
When a client is authenticated as an 802.1X client and the authenticator port has been open by a MAC Authentication client with port-based policy the ACCESS_ACCEPT for the 802.1X client will be rejected appropriately.
When Web authentication and MAC authentication coexist on a switch port, the handling of Web Authentication client will follow the cases of 802.1X client-based mode, for example, 3.a.1. and 3.b.
The MAC Authentication Client/Address Limits will be adhered to. If the current number of authenticated clients are at the configured port client/address limit, then additional clients are not accepted (exceptions are clients with client-limit port based policy to increase client-limit). This existing design decision is meant to avoid any DoS of our NAC/AAA solution as any additional authentication requests on this port are pointless as the limit has been hit.
A new read-only MIB object will be added to query the authentication mode of a MAC authentication client.
When a port is in port-based MAC authentication mode, port-security (port-access mode) blocks traffic from the subsequent users.
If a client being MAC authenticated with port-based policy has other assigned policies, (such as NAS-Filter-Rule, Filter-ID, Bandwidth-Max-Ingress/Egress) the port-based policy is then applied only to this client not for any subsequent clients accessing the port in port-mode.