10.4.2 Preparing RADIUS Servers
Before you can use MAC-based authentication in RADIUS authentication mode, you need to configure the MAC addresses and passwords on the RADIUS server.
Also shown below are the RADIUS attributes used by the MAC-based authentication functionality in the Switch.
- <Structure of this section>
(1) Create User ID
MAC-based authentication requires you to register each MAC address as a user ID on the RADIUS server. MAC is a hexadecimal character string. It uses half-width alphanumeric characters (lowercase letters a to f) and is specified as 12 characters.
In fixed VLAN mode, if you want the RADIUS server to use both the MAC address and VLAN ID as credentials, register a user ID that combines the MAC address and VLAN ID in a character string with the following format.
|
(2) Registering a password
The password can be either of the following:
-
The same MAC address specified as the user ID
-
A common password used for all user IDs
(3) Configuring Post-Authentication VLAN
Use the following procedure to configure the post-authentication VLAN to which a terminal is assigned after successful authentication in dynamic VLAN mode.
-
Set Tunnel-Type to 13 (Virtual VLANs (VLAN)) .
-
Set Tunnel-Medium-Type to 6.
-
Specify a VLAN ID for the Tunnel-Private-Group-ID attribute, in one of the following formats:
-
As a numerical value
Example: If the VLAN ID is 2048, specify the character string 2048.
-
As the character string "VLAN" followed by a numerical value
Example: If the VLAN ID is 2048, specify the character string VLAN2048.
-
As a VLAN name defined using the name configuration command
-
If you perform authentication in dynamic VLAN mode without setting Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID, the native VLAN will be assigned as the post-authentication VLAN.
(4) RADIUS Servers Used by MAC Authorization Feature
Make sure that you specify PAP as the authentication method used by the RADIUS server. The table below describes the RADIUS attributes used in the process of MAC-based authentication. For details about how to configure the RADIUS server, see the documentation for the RADIUS server deployed in your network.
Attribute name |
Type value |
Description |
---|---|---|
User-Name |
1 |
Specify MAC address or the value generated in "Diagram 10-10 MAC Address + VLAN ID Register Format". |
User-Password |
2 |
The MAC address, or a common password specified by a configuration command. |
NAS-IP-Address |
4 |
The IP address of the loop-back interface, if one is specified.If no loop-back interface is specified, the IP address of the interface that communicates with the RADIUS server. |
Service-Type |
6 |
Specify Framed(2). |
Calling-Station-Id |
31 |
The MAC address of the terminal to be authenticated (as a hyphen-punctuated lower-case ASCII string) Example:00-12-e2-01-23-45 |
NAS-Identifier |
32 |
A numerical string representing the VLAN ID to which authenticated terminals gain membership in fixed VLAN mode. e.g. 100 for VLAN ID 100. In dynamic VLAN mode and legacy mode, use the device name as specified by the hostname configuration command. |
NAS-Port-Type |
61 |
Specify Virtual(5). |
NAS-IPv6-Address |
95 |
The IPv6 address of the loop-back interface, if one is specified.If no loop-back interface is specified, the IPv6 address of the interface that communicates with the RADIUS server. When communicating via an IPv6 link-local address, this attribute specifies the IPv6 link-local address of the transmission interface regardless of whether an IPv6 address is set for the loop-back interface. |
Attribute name |
Type value |
Description |
---|---|---|
Service-Type |
6 |
Returns Framed(2):This attribute is ignored in MAC-based authentication. |
Reply-Message |
18 |
(Not used) |
Tunnel-Type |
64 |
Used in dynamic VLAN mode. The MAC-based authentication functionality checks whether the value is 13 (VLAN). This attribute is not used in fixed VLAN mode. |
Tunnel-Medium-Type |
65 |
Used in dynamic VLAN mode. The MAC-based authentication functionality checks whether the Tunnel-Medium-Type value is 6, as for IEEE 802.1X. This attribute is not used in fixed VLAN mode. |
Tunnel-Private-Group-Id |
81 |
Used in dynamic VLAN mode. The value of this attribute is a number representing a VLAN, or the character string VLANxx (where xx is the VLAN ID). However, if the content of the first octet is 0x00~0x1f, it represents Tag, in which case the number from the second octet represents VLAN. If the first octet has a value of 0x20 or higher, the entire value of the attribute represents the VLAN. In dynamic VLAN mode, if this attribute contains a VLAN name as specified by the name configuration command, the switch uses the VLAN ID associated with the VLAN name. This attribute is not used in fixed VLAN mode. |
Attribute name |
Type value |
Description |
---|---|---|
User-Name |
1 |
Specify MAC address or the value generated in "Diagram 10-10 MAC Address + VLAN ID Register Format". |
NAS-IP-Address |
4 |
The IP address of the NAS. This attribute contains the IP address of the loop-back interface, if one is specified. If no loop-back interface is specified, this attribute contains the IP address of the interface that communicates with the server. |
Service-Type |
6 |
Specify Framed(2). |
Calling-Station-Id |
31 |
The MAC address of the terminal (as a hyphen-punctuated ASCII string). Example:00-12-e2-01-23-45 |
NAS-Identifier |
32 |
A numerical string representing the VLAN ID to which authenticated terminals gain membership in fixed VLAN mode. e.g. 100 for VLAN ID 100. In dynamic VLAN mode and legacy mode, use the device name as specified by the hostname configuration command. |
Acct-Status-Type |
40 |
Contains the value Start(1) at successful authentication, and the value Stop(2) after authentication cancellation. |
Acct-Delay-Time |
41 |
The time (in seconds) between the event occurring and transmission to the server. |
Acct-Session-Id |
44 |
ID that identifies Accounting (same for successful authentication and deauthorization). |
Acct-Authentic |
45 |
The authentication method used (as either RADIUS or Local). |
Acct-Session-Time |
46 |
The time (in seconds) until authentication cancellation takes place. |
NAS-Port-Type |
61 |
Specify Virtual(5). |
NAS-IPv6-Address |
95 |
The IPv6 address of the NAS. The IPv6 address of the loop-back interface, if one is specified. If no loop-back interface is specified, the IPv6 address of the interface that communicates with the server. When communicating via an IPv6 link-local address, this attribute specifies the IPv6 link-local address of the transmission interface regardless of whether an IPv6 address is set for the loop-back interface. |