10.4.2 Preparing RADIUS Servers

Before you can use MAC-based authentication in RADIUS authentication mode, you need to configure the MAC addresses and passwords on the RADIUS server.

Also shown below are the RADIUS attributes used by the MAC-based authentication functionality in the Switch.

<Structure of this section>

(1) Create User ID

MAC-based authentication requires you to register each MAC address as a user ID on the RADIUS server. MAC is a hexadecimal character string. It uses half-width alphanumeric characters (lowercase letters a to f) and is specified as 12 characters.

In fixed VLAN mode, if you want the RADIUS server to use both the MAC address and VLAN ID as credentials, register a user ID that combines the MAC address and VLAN ID in a character string with the following format.

Figure 10-10: MAC address+ VLAN ID register format

(2) Registering a password

The password can be either of the following:

The same MAC address specified as the user ID
A common password used for all user IDs

(3) Configuring Post-Authentication VLAN

Use the following procedure to configure the post-authentication VLAN to which a terminal is assigned after successful authentication in dynamic VLAN mode.

Set Tunnel-Type to 13 (Virtual VLANs (VLAN)) .
Set Tunnel-Medium-Type to 6.
Specify a VLAN ID for the Tunnel-Private-Group-ID attribute, in one of the following formats:
- As a numerical value
  
  Example: If the VLAN ID is 2048, specify the character string 2048.
- As the character string "VLAN" followed by a numerical value
  
  Example: If the VLAN ID is 2048, specify the character string VLAN2048.
- As a VLAN name defined using the name configuration command

If you perform authentication in dynamic VLAN mode without setting Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID, the native VLAN will be assigned as the post-authentication VLAN.

(4) RADIUS Servers Used by MAC Authorization Feature

Make sure that you specify PAP as the authentication method used by the RADIUS server. The table below describes the RADIUS attributes used in the process of MAC-based authentication. For details about how to configure the RADIUS server, see the documentation for the RADIUS server deployed in your network.

Table 10-5 Attribute-name (in that 1 Access-Request) to be used for MAC authorization
Attribute name	Type value	Description
User-Name	1	Specify MAC address or the value generated in "Diagram 10-10 MAC Address + VLAN ID Register Format".
User-Password	2	The MAC address, or a common password specified by a configuration command.
NAS-IP-Address	4	The IP address of the loop-back interface, if one is specified.If no loop-back interface is specified, the IP address of the interface that communicates with the RADIUS server.
Service-Type	6	Specify Framed(2).
Calling-Station-Id	31	The MAC address of the terminal to be authenticated (as a hyphen-punctuated lower-case ASCII string) Example:00-12-e2-01-23-45
NAS-Identifier	32	A numerical string representing the VLAN ID to which authenticated terminals gain membership in fixed VLAN mode. e.g. 100 for VLAN ID 100. In dynamic VLAN mode and legacy mode, use the device name as specified by the hostname configuration command.
NAS-Port-Type	61	Specify Virtual(5).
NAS-IPv6-Address	95	The IPv6 address of the loop-back interface, if one is specified.If no loop-back interface is specified, the IPv6 address of the interface that communicates with the RADIUS server. When communicating via an IPv6 link-local address, this attribute specifies the IPv6 link-local address of the transmission interface regardless of whether an IPv6 address is set for the loop-back interface.

Table 10-6 Attribute-name (in that 2 Access-Accept) to be used for MAC authorization
Attribute name	Type value	Description
Service-Type	6	Returns Framed(2):This attribute is ignored in MAC-based authentication.
Reply-Message	18	(Not used)
Tunnel-Type	64	Used in dynamic VLAN mode. The MAC-based authentication functionality checks whether the value is 13 (VLAN). This attribute is not used in fixed VLAN mode.
Tunnel-Medium-Type	65	Used in dynamic VLAN mode. The MAC-based authentication functionality checks whether the Tunnel-Medium-Type value is 6, as for IEEE 802.1X. This attribute is not used in fixed VLAN mode.
Tunnel-Private-Group-Id	81	Used in dynamic VLAN mode. The value of this attribute is a number representing a VLAN, or the character string VLANxx (where xx is the VLAN ID). However, if the content of the first octet is 0x00~0x1f, it represents Tag, in which case the number from the second octet represents VLAN. If the first octet has a value of 0x20 or higher, the entire value of the attribute represents the VLAN. In dynamic VLAN mode, if this attribute contains a VLAN name as specified by the name configuration command, the switch uses the VLAN ID associated with the VLAN name. This attribute is not used in fixed VLAN mode.

Table 10-7 AttributeNames Used in RADIUS Accounting
Attribute name	Type value	Description
User-Name	1	Specify MAC address or the value generated in "Diagram 10-10 MAC Address + VLAN ID Register Format".
NAS-IP-Address	4	The IP address of the NAS. This attribute contains the IP address of the loop-back interface, if one is specified. If no loop-back interface is specified, this attribute contains the IP address of the interface that communicates with the server.
Service-Type	6	Specify Framed(2).
Calling-Station-Id	31	The MAC address of the terminal (as a hyphen-punctuated ASCII string). Example:00-12-e2-01-23-45
NAS-Identifier	32	A numerical string representing the VLAN ID to which authenticated terminals gain membership in fixed VLAN mode. e.g. 100 for VLAN ID 100. In dynamic VLAN mode and legacy mode, use the device name as specified by the hostname configuration command.
Acct-Status-Type	40	Contains the value Start(1) at successful authentication, and the value Stop(2) after authentication cancellation.
Acct-Delay-Time	41	The time (in seconds) between the event occurring and transmission to the server.
Acct-Session-Id	44	ID that identifies Accounting (same for successful authentication and deauthorization).
Acct-Authentic	45	The authentication method used (as either RADIUS or Local).
Acct-Session-Time	46	The time (in seconds) until authentication cancellation takes place.
NAS-Port-Type	61	Specify Virtual(5).
NAS-IPv6-Address	95	The IPv6 address of the NAS. The IPv6 address of the loop-back interface, if one is specified. If no loop-back interface is specified, the IPv6 address of the interface that communicates with the server. When communicating via an IPv6 link-local address, this attribute specifies the IPv6 link-local address of the transmission interface regardless of whether an IPv6 address is set for the loop-back interface.