Before you configure MAC authentication:
- Configure a local username and password on the switch.
- Ensure that the VLANs are configured on the switch and that the appropriate port assignments have been made if you plan to use multiple VLANs with MAC authentication.
- Ping the switch console interface to ensure that the switch is able to communicate with the RADIUS server you are configuring to support MAC authentication.
- Configure the switch with the correct IP address and encryption key to access the RADIUS server.
- Configure the switch for MAC authentication with the ports you will be using.
- Test both the authorized and unauthorized access to your system to ensure that MAC authentication works properly on the ports you have chosen to configure for port-access.
This will identify what authentication method was used (dot1x or mab), currently logon user or computer (determined by the prefix of host/)” and the IP address of the device connected to the port amongst other things. If a device is connected to the port that is unable to support 802.1x then it will fail over to MAB. O Solution: MAC Authentication Bypass (MAB) o (Seriously, who puts ypass in the name of a seurity feature???) o MA uses the devies MA address to validate its identity o The authenticator first tries to authenticate the new device by sending EAP Request-Identity messages.
Configuring the global MAC authentication password
MAC authentication requires that only a single entry containing the username and password is placed in the user database with the device's MAC address. This creates an opportunity for malicious device spoofing. The global password option configures a common MAC authentication password to use for all MAC authentications sent to the RADIUS server. This makes spoofing more difficult.
It is important that when implementing the global MAC authentication password option, that the user database on the RADIUS server has this password as the password for each device performing MAC authentication.
Syntax:
[no]
aaa port-access mac-based password <password-value
>
Specifies the global password to be used by all MAC authenticating devices.
The
[no]
form of the command disables the feature.NOTE: The password value will display in an exported config file when include-credentials is enabled. |
Syntax:
Mac Authentication Bypass
aaa port-access mac-based addr-format <no-delimiter|single-dash|multi-dash|multi-colon|no-delimiter-uppercase|single-dash-uppercase|multi-dash-uppercase|multi-colon-uppercase>
Specifies the MAC address format used in the RADIUS request message. This format must match the format used to store the MAC addresses in the RADIUS server.
Default:
no-delimiter
no-delimiter
: specifies an aabbccddeeff format.single-dash
: specifies an aabbcc-ddeeff format.multi-dash
: specifies an aa-bb-cc-dd-ee-ff format.multi-colon
: specifies an aa:bb:cc:dd:ee:ff format.no-delimiter-uppercase
: specifies an AABBCCDDEEFF format.single-dash-uppercase
: specifies an AABBCC-DDEEFF formatmulti-dash-uppercase
: specifies an AA-BB-CC-DD-EE-FF formatmulti-colon-uppercase
: specifies an AA:BB:CC:DD:EE:FF format.Syntax:
Enables MAC authentication on specified ports.
Use the
no
form of the command to disable MAC authentication on specified ports.Specifying the maximum number of authenticated MACs allowed on a port
Syntax:
aaa port-access mac-based [e] <port-list
> [addr-limit <1-256>]
Specifies the maximum number of authenticated MACs to allow on the port.
Default:
1
NOTE: On switches where MAC authenticated and 802.1X operate concurrently, this limit includes the total number of clients authenticated through both methods. |
The limit of 256 clients only applies when there are fewer than 16,384 authentication clients on the entire switch. After the limit of 16,384 clients is reached, no additional authentication clients are allowed on any port for any method.
Allowing addresses to move without re-authentication
Syntax:
[no]
aaa port-access mac-based [e] <port-list
> [addr-moves]
Allows client moves between the specified ports under MAC authenticated control. When enabled, the switch allows addresses to move without requiring a re-authentication.
When disabled, the switch does not allow moves and when one occurs, the user will be forced to re-authenticate. At least two ports (from ports and to ports) must be specified.
Use the
no
form of the command to disable MAC address moves between ports under MAC authenticated control.Default: Disabled – no moves allowed
Syntax:
aaa port-access mac-based [e] <port-list
> [auth-vid <vid
>]
[no]
aaa port-access mac-based [e] <port-list
> [auth-vid]
Specifies the VLAN to use for an authorized client. The RADIUS server can override the value (accept response includes avid).
If
auth-vid
is 0
, no VLAN changes occur unless the RADIUS server supplies one.Use the
no
form of the command to set the auth-vid
to 0
.Default:
0
Specifying the time period enforced for implicit logoff
Syntax:
[no]
aaa port-access mac-based [e] <port-list
> [logoff-period] <60-9999999>]
Specifies the period, in seconds, that the switch enforces for an implicit logoff. This parameter is equivalent to the MAC age interval in a traditional switch sense. If the switch does not see activity after a logoff-period interval, the client is returned to its pre-authentication state.
Default:
300 seconds
Specifying how many authentication attempts can time-out before failure
Syntax:
[no]
aaa port-access mac-based [e] <port-list
> [max-requests <1-10>]
Specifies the number of authentication attempts that must time-out before authentication fails.
Default:
2
![Mab authentication Mab authentication](/uploads/1/1/8/1/118148115/610375122.jpg)
Specifying how long the switch waits before processing a request from a MAC address that failed authentication
Syntax:
[no]
aaa port-access mac-based [e] <port-list
> [quiet-period <1-65535>]
Specifies the time period (in seconds) that the switch waits before processing an authentication request from a MAC address that failed authentication.
Default:
60 seconds
Specifying time period enforced on a client to re-authenticate
Syntax:
[no]
aaa port-access mac-based [e] <port-list
> [reauth-period <0-9999999>]
Specifies the time period (in seconds) that the switch enforces on a client to re-authenticate. The client remains authenticated while the re-authentication occurs.
When set to
0
, re-authentication is disabled.Default:
300 seconds
Syntax:
[no]
aaa port-access mac-based [e] <port-list
> [reauthenticate]
Forces a re-authentication of all attached clients on the port.
Specifying how long the switch waits for a server response
Syntax:
[no]
aaa port-access mac-based [e] <port-list
> [server-timeout <1-300>]
Specifies the period, in seconds, the switch waits for a server response to an authentication request. Depending on the current
max-requests
value, the switch sends a new attempt or ends the authentication session.Default:
30 seconds
Setting the period of time the switch waits before moving the port to the VLAN for unauthenticated clients
Syntax:
aaa port-access mac-based [e] <port-list
> [unauth-period]
Sets the period of time the switch waits before moving the port to the VLAN for unauthenticated clients.
Specifying the VLAN to use when authentication fails
Syntax:
aaa port-access mac-based [e] <port-list
> [unauth-vid <vid
>]
[no]
aaa port-access mac-based [e] <port-list
> [unauth-vid]
Specifies the VLAN to use for a client that fails authentication. If
unauth-vid
is 0
, no VLAN changes occur. Use the no
form of the command to set the unauth-vid
to 0
.Default:
0
This feature allows administrators to configure custom messages that are displayed when authentication with the RADIUS server fails. The messages are appended to existing internal web pages that display during the authentication process. Messages can be configured using the CLI, or centrally using the RADIUS server, and can provide a description of the reason for a failure as well as possible steps to take to resolve the authentication issue. There is no change to the current web-based authentication functionality.
Syntax:
[no]
aaa port-access web-based access-denied-message <<access-denied-str>|radius-response>
Specifies the text message (ASCII string) shown on the web page after an unsuccessful login attempt. The message must be enclosed in quotes.
The
[no]
form of the command means that no message is displayed upon failure to authenticate.Default: The internal web page is used. No message will be displayed upon authentication failure.
access-denied-str
: The text message that is appended to the end of the web page when there is an unsuccessful authentication request. The string can be up to 250 ASCII characters.radius-response
: Use the text message provided in the RADIUS server response to the authentication request.Configuring an access denied message on the switch
Access denied message when radius-response is configured
Unauthenticated clients can be assigned to a specific static, untagged VLAN (
unauth-vid
), to provide access to specific (guest) network resources. If no VLAN is assigned to unauthenticated clients, the port is blocked and no network access is available.Example of web page when unauth-vid is configured
Example of web page when unauth-vid is not configured
The
show running-config
command displays the client’s information, including the configured access denied message.Running configuration output displaying access denied message
Running configuration output when RADIUS response is configured
Syntax:
Displays the status of all ports or specified ports that are enabled for MAC authentication. The information displayed for each port includes:
- Number of authorized and unauthorized clients.
- VLAN ID number of the untagged VLAN used. If the switch supports MAC (untagged) VLANs,
MACbased
is displayed to show that multiple untagged VLANs are configured for authentication sessions. - If tagged VLANs (statically configured or RADIUS-assigned) are used (
Yes
orNo
.) - If client-specific per-port CoS (Class of Service) values are configured (
Yes
orNo
) or the numerical value of the CoS (802.1p priority) applied to all inbound traffic. For client-specific per-port CoS values, enter theshow port-access web-based clients detailed
command. - If per-port rate-limiting for inbound traffic is applied (
Yes
orNo
) or the percentage value of the port's available bandwidth applied as a rate-limit value. - If RADIUS-assigned ACLs are applied.
Information on ports not enabled for MAC authentication is not displayed.
![Mab Mab](/uploads/1/1/8/1/118148115/398846476.png)
Viewing session information for MAC authenticated clients on a switch
Syntax:
Displays the session status, name, and address for each MAC authenticated client on the switch. The IP address displayed is taken from the DHCP binding table (learned through the DHCP Snooping feature).
If DHCP snooping is not enabled on the switch,
n/a
(not available) is displayed for a client's IP address.If a MAC-authenticated client uses an IPv6 address,
n/a - IPv6
is displayed.If DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table,
n/a
- no info
is displayed.Output for the show port-access mac-based clients command
Viewing detail on status of MAC authenticated client sessions
Syntax:
show port-access mac-based clients <port-list
> detailed
Displays detailed information on the status of MAC authenticated client sessions on specified ports.
For HP Switch 2620, 2910al, and 2920-series:
This syntax shows session status, name, and address for each web-based authenticated client on the switch. The IP address displayed is taken from the DHCP binding table, learned through DHCP snooping.The following can appear if the client's IP address is not available:
n/a
— DHCP snooping is not enabled on the switch; n/a
is displayed for a client's IP address.n/a-IPv6
— a web-based authenticated client uses an IPv6 address.n/a-no info
— DHCP snooping is enabled but no MAC-to-IP address binding for a client is found in the DHCP binding table.Output for the show port-access mac-based clients detailed command
Syntax:
Mab Authentication Open
Displays the currently configured MAC authentication settings for all switch ports or specified ports, including:
- MAC address format
- Support for RADIUS-assigned dynamic VLANs (
Yes
orNo
) - Controlled direction setting for transmitting Wake-on-LAN traffic on egress ports
- Authorized and unauthorized VLAN IDs
If the authorized or unauthorized VLAN ID value is
0
, the default VLAN ID is used unless overridden by a RADIUS-assigned value.Output for the show port-access mac-based config command
Viewing details of MAC Authentication settings on ports
Syntax:
show port-access mac-based config <port-list
> detailed
Displays more detailed information on the currently configured MAC authentication settings for specified ports.
Output for the show port-access mac-based config detail command
Viewing MAC Authentication settings including RADIUS server-specific
Syntax:
show port-access mac-based config
[port-list
] auth-server
Displays the currently configured web authentication settings for all switch ports or specified ports and includes RADIUS server-specific settings, such as:
- Timeout waiting period.
- Number of timeouts supported before authentication login fails.
- Length of time (quiet period) supported between authentication login attempts.
Output for the show port-access mac-based config auth-server command
The table below shows the possible client status information that can be reported by a web-based or MAC-based ‘
show... clients
’ command.Reported status | Available network connection | Possible explanations |
---|---|---|
authenticated | Authorized VLAN | Client authenticated. Remains connected until logoff-period or reauth-period expires. |
authenticating | Switch only | Pending RADIUS request. |
rejected-no vlan | No network access |
|
rejected-unauth vlan | Unauthorized VLAN only |
|
timed out-no vlan | No network access | RADIUS request timed out. If unauth-vid is specified it cannot be successfully applied to the port. An authorized client on the port has precedence. Credentials resubmitted after quiet-period expires. |
timed out-unauth vlan | Unauthorized VLAN only | RADIUS request timed out. After the quiet-period expires credentials are resubmitted when client generates traffic. |
unauthenticated | Switch only | Waiting for user credentials. |