MAC authentication

The 7705 SAR supports the 802.1x EAP standard for authenticating Ethernet devices before they can access the network. However, if a client device does not support 802.1x EAP, MAC authentication can be used to prevent unauthorized traffic from being transmitted through the 7705 SAR.

802.1x EAP must be enabled for MAC authentication to be used, as MAC authentication is a fallback mechanism. To authenticate a port using MAC authentication, 802.1x authentication must first be configured on the 7705 SAR by enabling port-control auto, and then mac-auth must be configured on the 7705 SAR to enable MAC authentication.

When a port becomes operationally up with MAC authentication enabled, the following steps are performed by the 7705 SAR (as the authenticator):

  1. After transmission of the first EAP-Request/ID PDU, the 7705 SAR starts the mac-auth-wait timer and begins listening on the port for EAP-Response/ID PDUs. At this point, the 7705 SAR only listens to EAPOL frames. If EAPOL frames are received, 802.1x authentication is chosen.

    Note: If the attached equipment does not support EAP, no mac-auth-wait can be configured so that MAC authentication can be used as soon as the port is operationally up.
  2. If the mac-auth-wait timer expires, and no EAPOL frames have been received, the 7705 SAR begins listening on the port for any Ethernet frames.

  3. If the 7705 SAR receives an Ethernet frame, the 7705 SAR scans the client source MAC address in the frame and transmits the MAC address to the configured RADIUS server for comparison against the MAC addresses configured in its database.

    The following attributes are contained in the RADIUS message:

    • User-Name – the source MAC address of the client device

    • User-Password – the source MAC address of the client device in an encrypted format

    • Service-Type – the type of service that the client has requested; the value is set to 10 (call-check) for MAC authentication requests

    • Calling-Station-Id – the source MAC address of the client device

    • NAS-IP-Address – the IP address of the device acting as the authenticator

    • NAS-Port – the physical port of the device acting as the authenticator

    • Message-Authenticator – used to authenticate and protect the integrity of Access Request messages in order to prevent spoofing attacks

  4. If the MAC address is approved by the RADIUS server, the 7705 SAR enables the port for traffic transmission.

    If the MAC address is rejected by the RADIUS server, the 7705 SAR enters a quiet period, configured using the quiet-period command, and will not authenticate the port via either 802.1x or MAC authentication. After the quiet period expires, the 7705 SAR returns to step1.

  5. If a port that was previously authenticated with MAC authentication receives an EAPOL-Start frame, the port will reauthenticate using 802.1x EAPOL.

While the port is unauthenticated, the port will be ‟down” to all upper layer protocols or services.