Overview of MAC Address Authentication

Definition

MAC address authentication controls network access rights of users based on interfaces and MAC addresses of terminals.

Benefits

No client software needs to be installed on terminals.
During MAC address authentication, users do not need to enter a user name or password.
Dumb terminals that do not support 802.1X authentication, such as printers and fax machines, can be authenticated.

Authentication System

As shown in Figure 1, the MAC address authentication system is a typical client/server structure which consists of three types of entities: terminal, access device, and authentication server.

Figure 1 MAC address authentication system

Terminal: refers to a terminal that attempts to access the network.
Access device: functions as the network access control point that enforces enterprise security policies. It allows, rejects, isolates, or restricts network access of users based on the security policies customized for enterprise networks.
Authentication server: checks whether the identities of users who attempt to access the network are valid and assigns network access rights to users who have valid identities.

User Name Format

The user name and password used by a terminal for MAC address authentication must be configured on the access device in a format listed in the following table. By default, the user name and password are both the MAC address of a terminal.

User Name for MAC Address Authentication	Password	Application Scenario
MAC address of a terminal	Either the MAC address of the terminal or a specified password	Application to a network with a small number of terminals whose MAC addresses are easy to obtain, for example, when a few printers need to access the network.
Specified user name	Specified password	Applicable to a network with reliable terminals. Multiple terminals connected to an interface use the same user name and password for MAC address authentication. In this case, only one account needs to be configured on the authentication server to meet the authentication requirements of all the terminals.
Either of the following DHCP option formats can be used: circuit-id suboption remote-id suboption Combination of the circuit-id suboption and remote-id suboption	Specified password	In scenarios where this user name format is used, terminals need to obtain IP addresses through DHCP and DHCP packets must be able to trigger MAC address authentication.