Working with Security Configurations
MAC Authentication Control
Matrix E1 Series (1G58x-09 and 1H582-xx) Configuration Guide 14-119
14.4.4 MAC Authentication Control
This global variable can be enabled or disabled using the set macauthentication command as
described in Section 14.3.3.3.
If enabled, then
• MAC authentication is active on those ports individually enabled using the set
macauthentication port command as described in Section 14.3.3.5.
• All session and statistic information is reset to defaults.
• Any MAC addresses currently locked to ports are unlocked.
If disabled, then
• MAC authentication stops for all ports.
• All active sessions are terminated.
• All ports currently authenticated using 802.1X, are unaffected.
• Any 802.1X ports, which were set to forced-unauth, revert back to discarding all frames
regardless of the MAC authentication state.
14.4.5 RADIUS Filter-ID Attribute and Dynamic Policy Profile
Assignment
If you configure an authentication method that requires communication with a RADIUS server, you
can use the RADIUS Filter-ID attribute to dynamically assign a policy profile and/or management
level to authenticating users and/or devices.
The RADIUS Filter-ID attribute is simply a string that is formatted in the RADIUS Access-Accept
packet sent back from the RADIUS server to the switch during the authentication process.
Each user can be configured in the RADIUS server database with a RADIUS Filter-ID attribute that
specifies the name of the policy profile and/or management level the user should be assigned upon
successful authentication. During the authentication process, when the RADIUS server returns a
RADIUS Access-Accept message that includes a Filter-ID matching a policy profile name
configured on the switch, the switch then dynamically applies the policy profile to the physical port
the user/device is authenticating on.
Filter-ID Attribute Formats
Enterasys Networks supports two Filter-ID formats — “decorated” and “undecorated.” The
decorated format has three forms: