11.1.4 MAC Authorization Parameter Settings

This section describes how to set the parameters for MAC-based authentication.

<Structure of this section>

(1) Setting the maximum authentication time

Points to note: Set the time after which the switch forcibly de-authenticates authenticated terminals.

Command examples

(config)# mac-authentication max-timer 60

Configures the switch to forcibly de-authenticate terminals after 60 minutes.

(2) Configuring Fixed VLAN Authentication Count

Points to note: Set the maximum number of MAC addresses that can be authenticated in fixed VLAN mode.

Command examples

(config)# mac-authentication static-vlan max-user 20

Specifies 20 as the maximum number of authenticated MAC addresses for MAC-based authentication in fixed VLAN mode.

(3) Setting up the RADIUS server

Points to note: Configure the RADIUS server used to implement RADIUS authentication.

Command examples

(config)# aaa authentication mac-authentication default group radius

Specifies that authentication takes place using a RADIUS server.

(4) Configuring Accounting

Points to note: Enable the collection of accounting information for MAC-based authentication.

Command examples

(config)# aaa accounting mac-authentication default start-stop group radius

Enables the collection of accounting information by the RADIUS server.

(5) Settings for outputting to syslog servers

Points to note: Configure the Switch to output authentication results and operation logs to the syslog server.

Command examples

(config)# mac-authentication logging enable

(config)# logging event-kind aut

Configures the Switch to output Mac-based authentication results and operation logs to the syslog server.

(6) Setting to verify VLAN ID when authenticating

Points to note: Direct the switch to use the MAC address and VLAN ID as the MAC-based authentication credentials, not just the MAC address.

Command examples

(config)# mac-authentication vlan-check key "@@VLAN"

Configures MAC-based authentication to also check the VLAN ID.

If you are using RADIUS authentication, the switch submits the MAC address and VLAN ID to the RADIUS server as one character string connected by the characters @@VLAN.

(7) Setting a RADIUS Query Password

Points to note: Specify the password used for all MAC-based authentication requests sent to the RADIUS server.

Command examples

(config)# mac-authentication password pakapaka

Specifies pakapaka as the password sent to the RADIUS server.

(8) Setting the re-authentication time interval after authentication failure

Points to note: Specify how long the switch waits before processing another authentication request for a MAC address that failed authentication.

Command examples

(config)# mac-authentication auth-interval-timer 10

Configures the switch to perform re-authentication 10 minutes after authentication fails.

(9) Configuring Authentication-Only IPv4 Access Lists

Points to note: Configure the Switch to forward certain packets originating from unauthenticated terminals to destinations that are outside the Switch.

Command examples

(config)# ip access-list extended 100

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 255.255.255.255 eq bootps

(config-ext-nacl)# permit udp 0.0.0.0 0.0.0.0 host 192.168.10.100 eq bootps

(config-ext-nacl)# exit

(config)# interface gigabitethernet 1/0/3

(config-if)# authentication ip access-group 100

(config-if)# exit

Configures an IPv4 access list that permits unauthenticated terminals to send DHCP packets to 192.168.10.100.

(10) Configuring Dynamic VLAN Authentication Count

Points to note: Set the maximum number of MAC addresses that can be authenticated in dynamic VLAN mode.

Command examples

(config)# mac-authentication dynamic-vlan max-user 20

Specifies 20 as the maximum number of authenticated MAC addresses for MAC-based authentication in dynamic VLAN mode.

(11) Disables the operation that detects no access from the terminal and deactivates authentication.

Points to note: Disable the functionality that de-authenticates terminals with authenticated MAC addresses when there has been no access from the terminal for a period of time.

Command examples

(config)# no mac-authentication auto-logout

Configures the switch to not clear the authentication status of terminals associated with authenticated MAC addresses when there has been no access from the terminal.