11.1.4 MAC-based authentication Parameter Settings
This section describes how to set the parameters for MAC-based authentication.
- <Structure of this section>
(1) Setting the maximum authentication time
- Points to note
-
Set the time after which the switch forcibly de-authenticates authenticated terminals.
Command examples
-
(config)# mac-authentication max-timer 60
Configures the switch to forcibly de-authenticate terminals after 60 minutes.
(2) Configuring Fixed VLAN Authentication Count
- Points to note
-
Set the maximum number of MAC addresses that can be authenticated in fixed VLAN mode.
Command examples
-
(config)# mac-authentication static-vlan max-user 20
Specifies 20 as the maximum number of authenticated MAC addresses for MAC-based authentication in fixed VLAN mode.
(3) Setting up the RADIUS server
- Points to note
-
Configure the RADIUS server used to implement RADIUS authentication.
Command examples
-
(config)# aaa authentication mac-authentication default group radius
Specifies that authentication takes place using a RADIUS server.
(4) Configuring Accounting
- Points to note
-
Enable the collection of accounting information for MAC-based authentication.
Command examples
-
(config)# aaa accounting mac-authentication default start-stop group radius
Enables the collection of accounting information by the RADIUS server.
(5) Setting to verify VLAN ID when authenticating
- Points to note
-
Direct the switch to use the MAC address and VLAN ID as the MAC-based authentication credentials, not just the MAC address.
Command examples
-
(config)# mac-authentication vlan-check key "@@VLAN"
Configures MAC-based authentication to also check the VLAN ID.
If you are using RADIUS authentication, the switch submits the MAC address and VLAN ID to the RADIUS server as one character string connected by the characters @@VLAN.
(6) Setting a RADIUS Query Password
- Points to note
-
Specify the password used for all MAC-based authentication requests sent to the RADIUS server.
Command examples
-
(config)# mac-authentication password pakapaka
Specifies pakapaka as the password sent to the RADIUS server.
(7) Setting the re-authentication time interval after authentication failure
- Points to note
-
Specify how long the switch waits before processing another authentication request for a MAC address that failed authentication.
Command examples
-
(config)# mac-authentication auth-interval-timer 10
Configures the switch to perform re-authentication 10 minutes after authentication fails.
(8) Configuring Authentication-Only IPv4 Access Lists
- Points to note
-
Configure the Switch to forward certain packets originating from unauthenticated terminals to destinations that are outside the Switch.
Command examples
-
(config)# ip access-list extended 100
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255 eq bootps
(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.10.100 eq bootps
(config-ext-nacl)# exit
(config)# interface gigabitethernet 1/0/3
(config-if)# authentication ip access-group 100
(config-if)# exit
Configures an IPv4 access list that permits unauthenticated terminals to send DHCP packets to 192.168.10.100.
(9) Configuring Dynamic VLAN Authentication Count
- Points to note
-
Set the maximum number of MAC addresses that can be authenticated in dynamic VLAN mode.
Command examples
-
(config)# mac-authentication dynamic-vlan max-user 20
Specifies 20 as the maximum number of authenticated MAC addresses for MAC-based authentication in dynamic VLAN mode.
(10) Disables the operation that detects no access from the terminal and deactivates authentication.
- Points to note
-
Disable the functionality that de-authenticates terminals with authenticated MAC addresses when there has been no access from the terminal for a period of time.
Command examples
-
(config)# no mac-authentication auto-logout
Configures the switch to not clear the authentication status of terminals associated with authenticated MAC addresses when there has been no access from the terminal.