MAC Address Authentication Process

The access device exchanges RADIUS packets with the RADIUS server and encrypts passwords of MAC address authentication users in Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) mode.

PAP: The access device generates a random MD5 challenge and uses it to encrypt passwords of MAC address authentication users once.
CHAP: The access device generates a random MD5 challenge and uses it to encrypt passwords of MAC address authentication users twice.

Figure 1 and Figure 2 show MAC address authentication processes in PAP and CHAP modes, separately.

Figure 1 MAC address authentication process (PAP mode)

After detecting the MAC address of a terminal for the first time, the access device learns this MAC address and triggers MAC address authentication.
The access device generates a random MD5 challenge and uses the challenge to encrypt the password of the user once. The access device then encapsulates the user name, encrypted password, and MD5 challenge into a RADIUS Access-Request packet, and sends this packet to the RADIUS server, requesting MAC address authentication on the user.
The RADIUS server uses the received MD5 challenge to encrypt the password of the user stored in the local database once. If the password is the same as the password sent by the access device, the RADIUS server returns a RADIUS Access-Accept packet, indicating that the MAC address authentication succeeds and the terminal is allowed to access the network.

Figure 2 MAC address authentication process (CHAP mode)

The MAC address authentication process in CHAP mode is similar to that in PAP mode, except that the password is encrypted twice.