Web and MAC Authentication for the Series
Overview
| MAC Authentication |
| network by authenticating devices for access to the network. When a device |
| connects to the switch, either by direct link or through the network, the switch |
| forwards the device’s MAC address to the RADIUS server for authentication. |
| The RADIUS server uses the device MAC address as the username and |
| password, and grants or denies network access in the same way that it does |
| for clients capable of interactive logons. (The process does not use either a |
| client device configuration or a logon session.) MAC authentication is well- |
| suited for clients that are not capable of providing interactive logons, such as |
| telephones, printers, and wireless access points. Also, because most RADIUS |
| servers allow for authentication to depend on the source switch and port |
| through which the client connects to the network, you can use |
| “lock” a particular device to a specific switch and port. |
|
|
Note | You can configure only one authentication type on a port. This means that Web |
| authentication, MAC authentication, 802.1X, MAC lockdown, MAC lockout, |
| and |
| disabled on ports configured for any of these authentication methods. |
|
|
Client Options
In the default configuration, the switch blocks access to clients that the RADIUS server does not authenticate. However, you can configure an individual port to provide limited services to unauthorized clients by joining a specified “unauthorized” VLAN during sessions with such clients. The unauthorized VLAN assignment can be the same for all ports, or different, depending on the services and access you plan to allow for unauthenticated clients.
Access to an optional, unauthorized VID is configured in the switch when Web and MAC Authentication are configured on a port.