beautypg.com

Mac-authentication, Why is mac-authentication required, How does mac-authentication work – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

Page 1112

background image

Authentication Introduction and Configuration

Software Reference for x310 Series Switches

42.16

AlliedWare Plus

TM

Operating System - Version 5.4.4C

C613-50046-01 REV A

MAC-Authentication

Why is MAC-Authentication Required?

The authentication mechanisms provided by 802.1X and Web authentication are powerful
and effective. But, they are not universally applicable. Web authentication is only
applicable to devices that have a human user who opens the web browser and types in a
username and password when requested. 802.1X authentication is only possible from
devices whose software implements an 802.1X supplicant.

There are plenty of network-connected devices, like printers, scanners, fire-alarm monitors
and so on, that have neither a human user nor implement an 802.1X supplicant. In a
network that ensures all access is authenticated, there needs to be a mechanism for
authenticating these devices.

Fortunately, all Ethernet transceivers have a unique identifier—their MAC address. Hence,
even without user input of a username and password, any Ethernet device will
automatically identify itself simply by virtue of the source MAC address in the packets it
sends. The method that has been developed for authenticating these devices uses the
MAC address as the identifier, and so is called MAC-based authentication.

How Does MAC-Authentication Work?

In essence, MAC-authentication works little differently from 802.1X or Web-based
authentication.

Here are the main steps:

1.

The supplicant is connected to the switch.

2.

The switch (acting as the authenticator) receives an ID from the supplicant.

3.

The switch passes the supplicant's ID to a RADIUS server in an Access-Request packet

4.

The RADIUS server returns an Access-Accept or an Access-Deny. The Access-Accept
can be accompanied with other attributes, for dynamic VLAN assignment.

The unique aspects of MAC-authentication are in steps 2 and 3.

MAC-authentication does not involve a process whereby the switch sends an ID request to
the supplicant. The switch receives the ID from the supplicant by simply looking at the
source MAC in the packets being sent from the supplicant.

The MAC address of the supplicant is a single identifier. But a RADIUS access-request
requires both a username and a password. The workaround employed by MAC-
authentication is simply to use the MAC address as both username and password.

See also other documents in the category Allied Telesis Computer hardware: