10.1 Overview

MAC-based authentication provides a method for authenticating terminals such as printers which, unlike PCs and similar devices, cannot participate in the login process as required by IEEE 802.1X and Web authentication.

The switch performs authentication based on the source MAC address of frames received at a port configured to perform MAC-based authentication, and admits frames originating from authorized terminals.

If DHCP snooping is enabled at the port, the ARP packets and DHCP packets sent from the terminal are subject to DHCP snooping before they become involved in the MAC-based authentication process. For this reason, MAC-based authentication applies only to packets that DHCP snooping allows through the port.

<Structure of this section>

(1) Authentication mode

The Switch supports the following authentication modes:

Fixed VLAN mode

Terminals that undergo successful authentication have their MAC addresses entered in the MAC address table and are permitted access to the VLAN.
Dynamic VLAN mode

Terminals that undergo successful authentication have their MAC addresses registered in a MAC VLAN. Terminals are given access to different VLANs before and after authentication.

In dynamic VLAN mode, VLAN to which the unauthenticated terminal belongs is called the unauthenticated VLAN. The post-authentication VLAN is called the post-authentication VLAN.

(2) Authentication method

Users of the Switch can choose to perform authentication locally or via a RADIUS server. Fixed VLAN mode and dynamic VLAN mode each support both variations.

Local authentication

This method registers MAC addresses in the authentication DB (called the built-in MAC authentication DB) built in the Switch, and verifies that the received frame matches MAC address before authentication. This method is suited to small-scale networks that lack a RADIUS server.
RADIUS authentication

Authentication is performed by using a RADIUS server deployed on the network. This method is suited to larger networks.