MAC Address Authentication in the Scenario Where a Portal Server Is Deployed

Only MAC address authentication needs to be configured on an access device when it is connected to a Cisco ISE server in Central Web Authentication (CWA) mode or an Aruba ClearPass server in Server-Initiated mode and this third-party server acts as the Portal server. The RADIUS server and Portal server work together to display the Portal authentication page. When the Portal server receives an authentication request from a client, the Portal server does not initiate Portal authentication. Instead, the Portal server notifies the RADIUS server of authenticating the client's MAC address again.

Authentication Process

Figure 1 shows packet exchange in the MAC address authentication process in the scenario where a Portal server is deployed.

Figure 1 MAC address authentication in the scenario where a Portal server is deployed

1. After a client connects to a wireless network, the access device sends an Access-Request packet to the RADIUS server for MAC address authentication.
2. The RADIUS server checks for the client's MAC address in its cache. If the client's MAC address is not found (in the case of initial authentication or cache timeout), the RADIUS server sends a reply indicating authentication success and delivers initial authorization information, redirect ACL, and redirect URL to the access device. The initial authorization allows access only to the Portal server, DNS server, and DHCP server. The redirect URL allows the access device to redirect HTTP requests from the client to the Portal server login page. If the client's MAC address is found in the cache, the RADIUS server grants complete access permissions to the client.
3. The client obtains an IP address. If the user attempts to access an unauthorized web page through a browser, the access device redirects the HTTP request of the client to the Portal server login page (that is, the redirect URL).
4. The user enters the user name and password on the Portal authentication page to initiate an authentication request to the Portal server.
5. The Portal server checks the user name and password. If they are correct, the Portal server instructs the RADIUS server to perform MAC address reauthentication for the client. If the user name or password is incorrect, MAC address reauthentication is not performed.
6. The RADIUS server sends a DM or CoA message to the access device so that the access device performs MAC address reauthentication for the client.
7. The access device sends the MAC address authentication request to the RADIUS server.
8. The RADIUS server checks whether the client has been authenticated. If so, the RADIUS server grants the client complete network access permissions in the Access-Accept packet. The client then can access the Internet. If authentication fails, the client is redirected to the authentication failure page.