KB.15.15

Configuring a global MAC authentication password

MAC authentication requires that only a single entry containing the username and password is

placed in the user database with the device's MAC address. This creates an opportunity for

malicious device spoofing. The global password option configures a common MAC authentication

password to use for all MAC authentications sent to the RADIUS server. This makes spoofing more

difficult.

It is important that when implementing the global MAC authentication password option, that the

user database on the RADIUS server has this password as the password for each device performing

MAC authentication.

Commands to configure the global MAC authentication password

To configure the global MAC authentication password:

Syntax:

[no]aaa port-access mac-based password password-value

Specifies the global password to be used by all MAC authenticating devices.

The [no] form of the command disables the feature.

For the 3800, 5400zl, and 8200zl switches, when the switch is in enhanced secure

mode, commands that take a password as a parameter have the echo of the

password typing replaced with asterisks. The input for the password is prompted

for interactively. See “Secure Mode (3800, 5400zl, and 8200zl Switches)”

(page 498).

Figure 39 Configuring a global MAC authentication password

NOTE: The password value will display in an exported config file when include-credentials

is enabled.

Configuring a MAC address format

Syntax:

aaa port-access mac-based addr-format <no-delimiter |

single-dash

| multi-dash | multi-colon | no-delimiter-uppercase |

single-dash-uppercase

| multi-dash-uppercase | multi-colon-uppercase>

74 Web-based and MAC authentication