Radius-based mac authentication, Local mac authentication, Mac authentication timers – H3C Technologies H3C S7500E Series Switches User Manual
Page 128: Features used together with mac authentication, Vlan assignment, Acl assignment
7-2
RADIUS-Based MAC Authentication
In RADIUS-based MAC authentication, the device serves as a RADIUS client and requires a RADIUS
server to cooperate with it.
z
If the type of username is MAC address, the device forwards a detected MAC address as the
username and password to the RADIUS server for authentication of the user.
z
If the type of username is fixed username, the device sends the same username and password
configured locally to the RADIUS server for authentication of each user.
If the authentication succeeds, the user is granted permission to access the network resources.
Local MAC Authentication
In local MAC authentication, the device authenticates users locally and therefore you need to
configure local username accounts for users on the device:
z
If the type of username is MAC address, configure a local user account for each user, using the
user’s MAC address as both the username and password.
z
If the type of username is fixed username, configure a single local user account for all users.
MAC Authentication Timers
The following timers function during MAC authentication:
z
Offline detect timer: At this interval, the device checks whether there is traffic from a user. If
receiving no traffic from a user within two intervals, the device logs the user out and sends to the
RADIUS server a stop accounting request.
z
Quiet timer: Whenever a user fails MAC authentication, the device does not perform MAC
authentication for the user but drop the user’s packets directly during the quiet period. When the
quiet timer expires, the device re-authenticates the user upon receiving a packet from the user.
z
Server timeout timer: During authentication of a user, if the device receives no response from the
RADIUS server in this period, it assumes that the RADIUS server is not available and forbids the
user to access the network.
Features Used Together with MAC Authentication
VLAN Assignment
RADIUS-based MAC authentication supports VLAN assignment.
For separation of unauthenticated users or users failing authentication from restricted network
resources, users are originally put in a VLAN different from that in which the restricted network
resources reside. After a user passes MAC authentication, the RADIUS server assigns the restricted
resources VLAN to the user as the authorized VLAN, and then the device adds the port connecting the
user to the authorized VLAN. As a result, the user can access those restricted network resources.
ACL Assignment
RADIUS-based MAC authentication supports ACL assignment.
With ACLs configured on the device and specified as authorization ACLs on the RADIUS server, after
a user passes MAC authentication, the RADIUS server will assign the user’s authorization ACL to