beautypg.com

Configuring mac authentication, Overview, User account policies – H3C Technologies H3C S6300 Series Switches User Manual

Page 95: Authentication methods

background image

80

Configuring MAC authentication

Overview

MAC authentication controls network access by authenticating source MAC addresses on a port. It does

not require client software, and users do not have to enter a username and password for network access.
The device initiates a MAC authentication process when it detects an unknown source MAC address on

a MAC authentication enabled port. If the MAC address passes authentication, the user can access

authorized network resources. If the authentication fails, the device marks the MAC address as a silent

MAC address, drops the packet, and starts a quiet timer. The device drops all subsequent packets from
the MAC address within the quiet time. The quiet mechanism avoids repeated authentication during a

short time.

NOTE:

If the MAC address that has failed authentication is a static MAC address or a MAC address that has
passed any security authentication, the device does not mark the MAC address as a silent address.

User account policies

MAC authentication supports the following user account policies:

One MAC-based user account for each user. The access device uses the source MAC addresses in
packets as the usernames and passwords of users for MAC authentication. This policy is suitable for

an insecure environment.

One shared user account for all users. You specify one username and password, which are not
necessarily a MAC address, for all MAC authentication users on the access device. This policy is

suitable for a secure environment.

Authentication methods

You can perform MAC authentication on the access device (local authentication) or through a RADIUS

server.
Local authentication:

If you configure MAC-based accounts, the access device uses the source MAC address of the
packet as the username and password to search its local account database for a match.

If you configure a shared account, the access device uses the shared account username and
password to search its local account database for a match.

RADIUS authentication:

If you configure MAC-based accounts, the access device sends the source MAC address as the
username and password to the RADIUS server for authentication.

If you configure a shared account, the access device sends the shared account username and
password to the RADIUS server for authentication.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: