Open as PDF
Configuring Authentication and Authorization by MAC Address 459
Changing the MAC
Password for RADIUS
When you enable MAC authentication, the client does not supply a
regular username or password. The MAC address of the user’s device is
extracted from frames received from the device.
To authenticate and authorize MAC users via RADIUS, MSS must supply a
password for MAC users, which is called the outbound authorization
password. By default, MSS sends the MAC user’s MAC address as that
user’s password too.
To set the authorization password to a specific value for all MAC users,
use the following command:
set radius server server-name author-password password
Before setting the outbound authorization password for a RADIUS server,
you must have set the address for the RADIUS server. For more
information, see “Configuring RADIUS Servers” on page 521.
For example, the following command sets the outbound authorization
password for MAC users on server bigbird to h00per:
WX1200# set radius server bigbird author-password h00per
success: change accepted.
If the MAC address is in the database, MSS uses the VLAN attribute and
other attributes associated with it for user authorization. Otherwise, MSS
tries the fallthru authentication type, which can be last-resort, Web, or
A MAC address must be dash-delimited in the RADIUS database
example, 00-00-01-03-04-05. However, the MSS always displays
colon-delimited MAC addresses.
To reset the authorization password to the default (user’s MAC address),
clear the RADIUS server, then readd it without specifying the
authorization password. To clear a RADIUS server, use the clear radius
server server-name command.