CCIE Must Know:MAC address authentication and MAC address bypass authentication
MAC address authentication is an authentication method that controls users’ network access rights based on ports and MAC addresses. It does not require users to install any client software. After detecting the user’s MAC address for the first time, the device starts the authentication operation for the user. During the authentication process, there is no need for the user to manually enter a user name or password.
MAC authentication is an authentication method that controls the user’s network access authority based on the interface and MAC address. It does not require the user to install any client software. After the device detects the MAC address of the user for the first time on the interface where MAC authentication is enabled, the device starts the authentication operation for the user. During the authentication process, the user is not required to manually enter a user name or password.
1. There is no need to install an authentication client on the terminal.
2. The terminal does not need to input the account number and password, and the authentication is performed automatically.
3. The security is lower than 802.1X and Portal.
The reason for the low security is that MAC addresses are easily spoofed. It is recommended to apply the MAC authentication scheme only to network printers and IP phones, and only open the network access rights required for business development when authorizing.
The device currently supports two types of authentication:
(1) Pass RADIUS server authentication:
When the RADIUS server authentication method is selected for MAC address authentication, the device acts as a RADIUS client and cooperates with the RADIUS server to complete the MAC address authentication operation:
When the MAC address user name is used, the device sends the detected user MAC address to the RADIUS server as the user name and password.
When a fixed user name is used, the device sends the user name and password that have been configured locally as the user name and password of the user to be authenticated to the RADIUS server.
After the RADIUS server completes the authentication of the user, the authenticated user can access the network.
(2) Local certification:
When the local authentication method is used for MAC address authentication, the user authentication is completed directly on the device. Need to configure local user name and password on the device:
When using the MAC address user name, the local user name to be configured is the MAC address of each access user.
When a fixed user name is used, the local user name to be configured is customized, and the user names and passwords corresponding to all users are consistent with the customized ones.
MAC bypass authentication: refers to that the terminal does not respond to the 802.1X authentication request from the access control device after accessing the network in the 802.1X authentication environment. In order to facilitate the terminal to access the network, the access control device automatically obtains the MAC address of the terminal and sends it to the RADIUS server as a credential to access the network for verification.
Comparison of MAC authentication and MAC bypass authentication:
MAC authentication: MAC authentication directly.
MAC bypass authentication: 802.1x first, no response for a long time (30S), no response, use MAC as user and password to send authentication. Use with 802.1X
The biggest difference between the two is that MAC bypass authentication belongs to 802.1X authentication, while MAC authentication does not belong to 802.1X authentication. MAC bypass authentication has one more 802.1X authentication link than MAC authentication, so the time is longer than MAC authentication.
If a network port may be connected to both dumb terminals (printers, IP phones) and portable devices (to ensure access before authentication is passed), please use MAC bypass authentication, giving priority to 802.1X authentication, and MAC authentication if authentication fails.
If only one dumb terminal (printer, IP phone) is connected to a network port, please use MAC authentication to shorten the authentication time.