Filter
Top Products
Working with Security Configurations
MAC Authentication Overview
Matrix E1 Series (1G58x-09 and 1H582-xx) Configuration Guide 14-115
14.4.3.1 Authentication Method Sequence
When MAC authentication is enabled on a port, the authentication of a specific MAC address
commences immediately following the reception of any frame. The MAC address and a currently
stored password for the port are used to perform a Password Authentication Protocol (PAP)
authentication with one of the configured RADIUS servers. If successful, the port forwarding
behavior is changed according to the authorized access policy and a session is started. If
unsuccessful, the forwarding behavior of the port remains unchanged.
If successful, the filter-id in the RADIUS response may contain a policy string of the form
policy=”policy name”. If the string exists and it refers to a currently configured access policy in this
switch, then the port receives this new policy. If authenticated, but the authorized policy is invalid
or non-existent, then the port forwards the frame normally according to the port default policy, if
one exists. Otherwise, frames are forwarded without any policy.
14.4.3.2 Concurrent Operation of 802.1X and MAC
Authentication
When both 802.1X (EAPOL) and MAC authentication are enabled on the same device, the switch
enforces a precedence relationship between MAC authentication and 802.1X methods. This
section defines the precedence rules to determine which authentication method has control over an
interface.
When both methods are enabled, and when a user is authenticated using the 802.1X method,
802.1X takes precedence over MAC authentication. If the port or MAC remains unauthenticated in
802.1X, then MAC authentication is active and may authenticate the next MAC address received
on that port.
MAC authentication and 802.1X can be configured to run concurrently on the same module, but
exclusively on distinct interfaces. To achieve this, the 802.1X port behavior in the
force-unauthorized state is overloaded by enabling both 802.1X and MAC authentication, setting
the 802.1X MIB to force-unauthorized for the interface in question, and enabling it for MAC
authentication. This allows MAC authentication to run unhindered by 802.1X on that interface by,
in effect, disabling all 802.1X control over it.
If a switch port is configured to enable both 802.1X and MAC authentication, then it is possible for
the switch to receive a start or a response 802.1X frame while a MAC authentication is in progress.
NOTE: Port Web Authentication (PWA) cannot be enabled if either MAC authentication
or EAPOL (802.1X) is enabled. For information on configuring PWA as an alternative
authentication method, refer to Section 14.3.5.