10.1 Overview
MAC-based authentication provides a method for authenticating terminals such as printers which, unlike PCs and similar devices, cannot participate in the login process as required by IEEE 802.1X and Web authentication.
The switch performs authentication based on the source MAC address of frames received at a port configured to perform MAC-based authentication, and admits frames originating from authorized terminals.
If DHCP snooping is enabled at the port, the ARP packets and DHCP packets sent from the terminal are subject to DHCP snooping before they become involved in the MAC-based authentication process. For this reason, MAC-based authentication applies only to packets that DHCP snooping allows through the port.
- <Structure of this section>
(1) Authentication mode
The Switch supports the following authentication modes:
-
Fixed VLAN mode
Terminals that undergo successful authentication have their MAC addresses entered in the MAC address table and are permitted access to the VLAN.
-
Dynamic VLAN mode
Terminals that undergo successful authentication have their MAC addresses registered in a MAC VLAN. Terminals are given access to different VLANs before and after authentication.
In dynamic VLAN mode, VLAN to which the unauthenticated terminal belongs is called the unauthenticated VLAN. The post-authentication VLAN is called the post-authentication VLAN.
(2) Authentication method
Users of the Switch can choose to perform authentication locally or via a RADIUS server. Fixed VLAN mode and dynamic VLAN mode each support both variations.
-
Local authentication
This method registers MAC addresses in the authentication DB (called the built-in MAC authentication DB) built in the Switch, and verifies that the received frame matches MAC address before authentication. This method is suited to small-scale networks that lack a RADIUS server.
-
RADIUS authentication
Authentication is performed by using a RADIUS server deployed on the network. This method is suited to larger networks.