Web and MAC Authentication for the Series 2600/2600-PWR and 2800 Switches

Overview

 

MAC Authentication (MAC-Auth).This method grants access to a secure

 

network by authenticating devices for access to the network. When a device

 

connects to the switch, either by direct link or through the network, the switch

 

forwards the device’s MAC address to the RADIUS server for authentication.

 

The RADIUS server uses the device MAC address as the username and

 

password, and grants or denies network access in the same way that it does

 

for clients capable of interactive logons. (The process does not use either a

 

client device configuration or a logon session.) MAC authentication is well-

 

suited for clients that are not capable of providing interactive logons, such as

 

telephones, printers, and wireless access points. Also, because most RADIUS

 

servers allow for authentication to depend on the source switch and port

 

through which the client connects to the network, you can use MAC-Auth to

 

“lock” a particular device to a specific switch and port.

 

 

N o t e

You can configure only one authentication type on a port. This means that Web

 

authentication, MAC authentication, 802.1X, MAC lockdown, MAC lockout,

 

and port-security are mutually exclusive on a given port. Also, LACP must be

 

disabled on ports configured for any of these authentication methods.

 

 

Client Options

Web-Auth and MAC-Auth provide a port-based solution in which a port can belong to one, untagged VLAN at a time. However, where all clients can operate in the same VLAN, the switch allows up to 32 simultaneous clients per port. (In applications where you want the switch to simultaneously support multiple client sessions in different VLANs, design your system so that such clients will use different switch ports.)

In the default configuration, the switch blocks access to clients that the RADIUS server does not authenticate. However, you can configure an individ- ual port to provide limited services to unauthorized clients by joining a specified “unauthorized” VLAN during sessions with such clients. The unau- thorized VLAN assignment can be the same for all ports, or different, depend- ing on the services and access you plan to allow for unauthenticated clients.

Access to an optional, unauthorized VID is configured in the switch when Web and MAC Authentication are configured on a port.

3-3

Page 47
Image 47
HP 4100gl, 2650 (J4899A/B), 2626 (J4900A/B) Client Options, Radius server uses the device MAC address as the username