Allied Telesis Support Portal

MAC-Authentication for AlliedWare Plus Devices

How to enable Mac-Authentication and how does it work?

Introduction

MAC authentication is one of a type of port authentication provided by  AlliedWare Plus devices. The other two are 802.1x authentication and web authentication.

802.1x is an IEEE standard providing a mechanism for authenticating devices attached to a LAN port or wireless device.

Web authentication is applicable to devices that have a human user who opens the web browser and types in a username and password when requested.

Devices such as printers, scanners, fire-alarm monitors and other network-connected devices need to be authenticated in a secure network even though they do not have a human user nor do they implement an 802.1x supplicant. The method that has been developed for authenticating these devices uses the unique MAC address as the identifier, and so is called MAC-based authentication.
 

How Does the MAC-Authentication Work?

1. The supplicant (the client that wishes to attach to the LAN/WLAN) is connected to the switch.
2. The switch (acting as the authenticator) receives an ID (unique source MAC address) from the supplicant.
3. The switch passes the supplicant's ID to a RADIUS server in an Access-Request packet
4. The RADIUS server returns an Access-Accept or an Access-Deny. The Access-Accept can be accompanied with other attributes, for dynamic VLAN assignment.

*****RADIUS access-request requires both a username and a password. The workaround employed by MAC authentication is simply to use the MAC address as both username and password. The switch extracts the source MAC address from the supplicant's packets and puts it into a string of the form xx-xx-xx-xx-xx-xx, using lower-case letters for any hex digits in the range a-f. This string is then used as both the username and the password in the RADIUS access-request packet.
 

Configuring MAC-Authentication


1. Define the authentication method list that is used for MAC-authentication.        
There is only one method list that can be created for MAC-authentication, the default method list. Moreover, the only authentication server type that can be used is RADIUS. 
awplus(config)# aaa authentication auth-mac default group radius

2. Enable MAC-authentication on the ports that are to perform this authentication: 
awplus(config)# interface port1.0.2
awplus(config)# auth-mac enable
awplus(config)# spanning-tree edgeport

On the RADIUS server, it is necessary to create user entries where both the username and password are the MAC address of the supplicant, in the form xx-xx-xx-xx-xx-xx. For example, on the AlliedWare Plus local RADIUS server, the configuration is: 
awplus(config)# radius-server local
awplus(config-radsrv)# user xx-xx-xx-xx-xx-xx password xx-xx-xx-xx-xx-xx

The supplicant requires no configuration, as the whole purpose of MAC-authentication is to authenticate devices that cannot be configured for authentication.