Access Security Guide K/KA/KB.15.15
3. Determine whether any VLAN assignments are needed for authenticated clients.
a. If you configure the RADIUS server to assign a VLAN for an authenticated client, this
assignment overrides any VLAN assignments configured on the switch while the
authenticated client session remains active. The VLAN must be statically configured on
the switch.
b. If there is no RADIUS-assigned VLAN, the port can join an “Authorized VLAN” for the
duration of the client session. This must be a port-based, statically configured VLAN on
the switch.
c. If there is neither a RADIUS-assigned VLAN or an “authorized VLAN” for an authenticated
client session on a port, the port’s VLAN membership remains unchanged during
authenticated client sessions. Configure the port for the VLAN in which you want it to
operate during client sessions.
NOTE: When configuring a RADIUS server to assign a VLAN, you can use either the VLAN’s
name or VID. For example, if a VLAN configured in the switch has a VID of 100 and is named
vlan100, you could configure the RADIUS server to use either “100” or “vlan100” to specify
the VLAN.
4. For clients that the RADIUS server does not authenticate, determine whether to use the optional
“unauthorized VLAN” mode. This VLAN must be statically configured on the switch. If you do
not configure an “unauthorized VLAN”, the switch simply blocks access to unauthenticated
clients trying to use the port.
5. Determine the authentication policy you want on the RADIUS server and configure the server.
Based on your switches RADIUS application information, include the following in the policy
for each client or client device:
• The CHAP-RADIUS authentication method.
• An encryption key.
• One of the following:
◦ Include the user name and password for each authorized client if you are configuring
web-based authentication.
◦ Enter the device MAC address in both the username and password fields of the
RADIUS policy configuration for that device if you are configuring MAC
authentication. To allow a particular device to receive authentication only through
a designated port and switch, include this in your policy.
6. Determine the IP address of the RADIUS server(s) you choose to support web-based or MAC
authentication.
Preparation for configuring MAC authentication
Before you configure MAC authentication
1. Configure a local username and password on the switch.
2. Ensure that the VLANs are configured on the switch and that the appropriate port assignments
have been made if you plan to use multiple VLANs with MAC authentication.
3. Ping the switch console interface to ensure that the switch is able to communicate with the
RADIUS server you are configuring to support MAC authentication.
4. Configure the switch with the correct IP address and encryption key to access the RADIUS
server.
5. Configure the switch for MAC authentication with the ports you will be using.
6. Test both the authorized and unauthorized access to your system to ensure that MAC
authentication works properly on the ports you have chosen to configure for port-access.
Configuring MAC authentication on the switch 73