If a user in the Auth-Fail VLAN passes MAC authentication, it is removed from the Auth-Fail VLAN and can access all authorized network resources. If not, the user is still in the Auth-Fail VLAN.

A hybrid port is always assigned to an Auth-Fail VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.

Configuration prerequisites

Before you configure MAC authentication, complete the following tasks:

1.Configure an ISP domain and specify an AAA method. For more information, see "Configuring AAA."

{For local authentication, you must also create local user accounts (including usernames and passwords), and specify the lan-access service for local users.

{For RADIUS authentication, make sure the device and the RADIUS server can reach each other, and create user accounts on the RADIUS server. If you are using MAC-based accounts, make sure the username and password for each account are the same as the MAC address of each MAC authentication user.

2.Make sure the port security feature is disabled. For more information about port security, see "Configuring port security."

Recommended configuration procedure

Step

 

Remarks

 

 

Required.

1.

Configuring MAC authentication globally

This function enables MAC authentication globally and

configures the advanced parameters.

 

 

 

 

By default, MAC authentication is disabled globally.

 

 

 

 

 

Required.

 

 

This function enables MAC authentication on a port.

2.

Configuring MAC authentication on a port MAC authentication can take effect on a port only when it is

enabled globally and on the port. You can configure MAC authentication on ports first.

By default, MAC authentication is disabled on a port.

Configuring MAC authentication globally

1.From the navigation tree, select Authentication > MAC Authentication.

2.In the MAC Authentication Configuration area, click Advanced.

406