MAC authentication

When a port becomes operationally up with MAC authentication enabled, the 7210 SAS (as the authenticator) performs the following steps.

1. After transmission of the first EAP-Request/ID PDU, the 7210 SAS starts the mac-auth-wait timer and begins listening on the port for EAP-Response/ID PDUs. At this point, the 7210 SAS only listens to EAPOL frames. If EAPOL frames are received, 802.1x authentication is chosen.

   Note:

   If it is known that the attached equipment does not support EAP, you can configure no mac-auth-wait so that MAC authentication is used as soon as the port is operationally up.

2. If the mac-auth-wait timer expires, and no EAPOL frames have been received, the 7210 SAS begins listening on the port for any Ethernet frames.

3. If the 7210 SAS receives an Ethernet frame, the 7210 SAS scans the client source MAC address in the frame and transmits the MAC address to the configured RADIUS server for comparison against the MAC addresses configured in its database.

   The following attributes are contained in the RADIUS message:

   • User-Name

     This attribute specifies the source MAC address of the client device.

   • User-Password

     This attribute specifies the source MAC address of the client device in an encrypted format.

   • Service-Type

     This attribute specifies the type of service that the client has requested; the value is set to 10 (call-check) for MAC authentication requests.

   • Calling-Station-Id

     This attribute specifies the source MAC address of the client device.

   • NAS-IP-Address

     This attribute specifies the IP address of the device acting as the authenticator.

   • NAS-Port

     This attribute specifies the physical port of the device acting as the authenticator.

   • Message-Authenticator

     This attribute is used to authenticate and protect the integrity of Access Request messages to prevent spoofing attacks.

4. If the MAC address is approved by the RADIUS server, the 7210 SAS enables the port for traffic transmission by that particular MAC address, which is successfully authenticated.

   If the MAC address is rejected by the RADIUS server, the 7210 SAS will not authenticate the port using either 802.1x or MAC authentication. If an Ethernet frame with the same MAC address is received, the 7210 SAS returns to step3 and reattempts approval of the MAC address.

5. If a port that was previously authenticated with MAC authentication receives an EAPOL-Start frame, the port will not reauthenticate using 802.1x EAPOL.

While the port is unauthenticated, the port will be down to all upper layer protocols or services.

When a MAC address is authenticated, only packets whose source MAC address matches the authenticated MAC address are forwarded when the packets are received on the port, and only packets whose destination MAC address matches the authenticated MAC address are forwarded out of the port.

Broadcast and multicast packets at ingress are sent for source MAC address authentication. Broadcast and multicast packets at egress are forwarded as normal.

Unknown destination packets at ingress are copied to the CPU and MAC authentication is attempted. Unknown destination packets at egress are dropped.

MAC authentication is subject to the following limitations:

• If MAC authentication is configured on ports that are part of a LAG, the authenticated MAC address is forwarded in the egress direction out of any port in the LAG.

• If MAC authentication is configured on a port and the port is added to or removed from a LAG, all previously authenticated MACs are reauthenticated by the system.

  Caution:

  A small amount of traffic loss may occur while MAC reauthentication is in progress.