Access Security Guide K/KA/KB.15.15
The RADIUS server uses the device MAC address as the username and password, and grants or
denies network access in the same way that it does for clients capable of interactive logons. The
process does not use either a client device configuration or a logon session. MAC authentication
is well-suited for clients not capable of providing interactive logons, such as telephones, printers,
and wireless access points. Also, because most RADIUS servers allow for authentication to depend
on the source switch and port through which the client connects to the network, you can use MAC
authentication to "lock" a particular device to a specific switch and port.
NOTE: 802.1X port-access, web-based authentication, and MAC authentication can be configured
at the same time on the same port. A maximum of 32 clients is supported on the port. The default
is one client.
Web-based and/or MAC authentication and MAC lockdown, MAC lockout, and port-security are
mutually exclusive on a given port. If you configure any of these authentication methods on a port,
you must disable LACP on the port.
Concurrent web-based and MAC authentication
Web-based authentication and MAC authentication can be configured at the same time on a port.
It is assumed that MAC authentication will use an existing MAC address. The following conditions
apply for concurrent authentication:
• A specific MAC address cannot be authenticated by both web and MAC authentication at
the same time.
• Each new web-based/MAC authentication client always initiates a MAC authentication attempt.
This same client can also initiate web-based authentication at any time before the MAC
authentication succeeds. If either authentication succeeds then the other authentication (if in
progress) is ended. No further web-based/MAC authentication attempts are allowed until the
client is de-authenticated.
• Web-based and MAC authentications are not allowed on the same port if an unauthenticated
(guest) VLAN is enabled for MAC authentication. An unauthenticated VLAN cannot be enabled
for MAC authentication if web-based and MAC authentication are both enabled on the port.
• Hitless reauthentication must be of the same type (MAC) that was used for the initial
authentication. Non-hitless reauthentication can be of any type.
The remaining web-based/MAC functionality, including interactions with 802.1X, remains the
same. web and MAC authentication can be used for different clients on the same port.
Normally, MAC authentication finishes much sooner than web authentication. However, if web
authentication completes first, MAC authentication ceases, even though MAC authentication could
succeed. There is no guarantee that MAC authentication ends before web-based authentication
begins for the client.
Concurrent web-based and MAC authentication is backward compatible with all existing user
configurations.
Authorized and unauthorized client VLANs
Web-based and MAC Authentication provide a port-based solution in which a port belongs to one
untagged VLAN at a time. The switch supports up to 32 simultaneous client sessions per port. All
authenticated client sessions operate in the same untagged VLAN. To simultaneously support
multiple client sessions in different VLANs for a network application, design the system so clients
request network access on different switch ports.
In the default configuration, the switch blocks access to all clients that the RADIUS server does not
authenticate. However, you can configure an individual port to provide limited network services
and access to unauthorized clients by using an "unauthorized" VLAN for each session. The
unauthorized VLAN ID assignment can be the same for all ports, or different, depending on the
services and access you plan to allow for unauthenticated clients.
Overview 99