beautypg.com

Westermo RedFox Series User Manual

Page 283

background image

Westermo OS Management Guide

Version 4.17.0-0

access based on the MAC address without any cryptographic authentication ex-
change, and it is fairly easy to modify the MAC address on a PC and most other
equipment.

MAC authentication is set up using lists of one or more MAC address patterns.
MAC patterns may contain a wild-card at the end to match a whole range of ad-
dresses. Examples: The pattern 00:11:22:33:44:55 matches exactly one address,
while the pattern 00:AA:BB:* matches all addresses beginning with 00:AA:BB.

When enabling MAC authentication on a VLAN in WeOS, the associated MAC list
(white-list) must be specified. The procedure is as follows:

1. Create MAC Authentication List (AAA): Create a MAC list, and add MAC pat-

terns to that list. A MAC pattern by default applies to all ports on the VLAN
the MAC list will be mapped to, however, the MAC pattern may apply to a
specific port. See

chapter 21

on Authentication, Authorisation and Account-

ing (AAA) for more information, in particular

sections 21.3.20

-

21.3.23

(CLI),

and

21.2.16

(Web).

2. Enable MAC authentication per VLAN: When MAC authentication is enabled

on a VLAN, the relevant MAC list is specified, thereby defining which MAC
addresses to grant access. Access is granted on all ports, except for MAC
patterns limited to a specific port. See sections

13.3.4

(Web) and

13.4.15

(CLI) for further details.

The switch will listen on the controlled ports for Ethernet packets originating from
currently unknown MAC addresses. When such a packet arrives, it will use the
packet’s source MAC and search through the specified MAC list for a matching
entry. If one is found, the port will be opened for the specific MAC address.
Packets that do not match will be discarded (alternatively, such packets can be
authentication via 802.1X).

A port will remain open for an authorised MAC as long as traffic flows. If no pack-
ets is received through the port from an authorised MAC address for 5 minutes

5

,

the port will be closed again for this address, and the authentication procedure
will be re-done when new packets arrive.

As of WeOS v4.17.0 does not support MAC based authentication with a backend
authentication server (e.g, RADIUS).

5

MAC aging time is by default 5 minutes, see

sections 13.1.8.1

and

13.4.2

for more information.

➞ 2015 Westermo Teleindustri AB

283

This manual is related to the following products:
See also other documents in the category Westermo Equipment: