Operation Manual – Centralized MAC Address Authentication
H3C S3100-52P Ethernet Switch
Chapter 1 Centralized MAC Address
Authentication Configuration
1-1
Chapter 1 Centralized MAC Address
Authentication Configuration
1.1 Centralized MAC Address Authentication Overview
Centralized MAC address authentication is port- and MAC address-based
authentication used to control user permissions to access a network. Centralized MAC
address authentication can be performed without client-side software. With this type of
authentication employed, a switch authenticates a user upon detecting the MAC
address of the user for the first time.
Centralized MAC address authentication can be implemented in the following two
modes:
z MAC address mode, where user MAC serves as both the user name and the
password.
z Fixed mode, where user names and passwords are configured on a switch in
advance. In this case, every user corresponds to a specific user name and
password configured on the switch.
As for S3100-52P Ethernet Switch, authentication can be performed locally or on a
RADIUS server.
1) When a RADIUS server is used for authentication, the switch serves as a RADIUS
client. Authentication is carried out through the cooperation of switches and the
RADIUS server.
z In MAC address mode, a switch sends user MAC addresses detected to the
RADIUS server as both user names and passwords. The rest handling procedures
are the same as that of the common RADIUS authentication.
z In fixed mode, a switch sends the user name and password previously configured
for the user to be authenticated to the RADIUS server and replaces the
calling-station-id field of the RADIUS packet with the MAC address of the user.
The rest handling procedures are the same as that of the common RADIUS
authentication.
z A user can access a network upon passing the authentication performed by the
DADIUS server.
2) When authentications are performed locally, users are authenticated by switches.
In this case,
z For MAC address mode, you can specify the format to enter the MAC addresses
used as both user name and password by executing corresponding commands.
That is, to specify whether or not MAC addresses are provided in the hyphened