Web+MAC Authentication Process
Web+MAC authentication, aiming to simplify web authentication, is the most common authentication mode for Layer 2 IPoE user access. This authentication mode requires a user to enter the username and password on a portal page when accessing the Internet for the first time. After RADIUS authentication succeeds, the RADIUS server associates the automatically recorded terminal MAC address with the username. Later, the user can access the network again without re-entering the username and password within a specified period after the first access.
The following describes the authentication process for the first and subsequent Internet access.
First Internet Access of a User
As shown in Figure 1, when the user accesses the Internet for the first time, the user first enters the MAC authentication domain. Because the RADIUS server cannot find the user's MAC address during the user's first Internet access, MAC authentication fails, and the user is switched to the web pre-authentication domain. In the web pre-authentication domain, the user can access only the web authentication page. On this page, the user enters the username and password for authentication. After the authentication succeeds, the user enters the MAC authentication domain and can access network resources.
Subsequent Internet Access of a User
As shown in Figure 2, when the user using the same terminal accesses the Internet after the first access, the RADIUS server can find the user's MAC address, and the authentication succeeds. The user then enters the MAC authentication domain and can access network resources.
Because a user does not need to enter the username and password again for Internet access after the first access, you need to control access rights of terminals accordingly.
