Manualshelf

User Guide

ManualsBrandsAlcatel-Lucent ManualsOtherOMNIACCESS SAFEGUARD CONTROLLER
231232233234235236237238239240
OmniAccess SafeGuard OS Administration Guide
232
Chapter 6: Configuring Authentication and Role Derivation
Configuring MAC-Based RADIUS
SafeGuard OS supports MAC-based RADIUS as an active authentication method. MAC-
based authentication is a Layer 2 interface-based authentication method that uses the
MAC address of the client for authentication.
MAC-based RADIUS authentication begins when the system sees IP traffic from a new
host interface. The MAC address is sent internally in ASCII format without colons for
both a user name and user password to the local database. If the user does not exist in the
local database, the system generates a RADIUS PAP request to the RADIUS server for
authentication.
To configure the local database for MAC-based RADIUS supplicants, follow the
procedure in Adding or Deleting a User from the Local Authentication Database on page 258. Be
sure to use the MAC address in ASCII format without colons for both the user name and
user password.
MAC-based RADIUS is enabled on individual interfaces. Use the aaa mac-radius
command in Interface Configuration mode to enable an interface. Use the no version of
the command to disable an interface.
aaa mac-radius
no aaa mac-radius
These commands have no parameters or variables. The following example enables MAC-
based RADIUS on interface 0/8:
DROP Requests dropped
HDR Invalid TCP header
FRAG IP fragment
CHKSUM Invalid checksum
ACKERR Number of segments with a bad acknowledgement
RST TCP resets
RXMIT Retransmits
SYNRST TCP SYNs for closed ports
SYNDRP TCP SYNs for dropped connections
SECURITY: Because MAC addresses can be spoofed on a network, use this
authentication method only for IP devices that cannot function as 802.1x
supplicants, such as printers or IP phones.
Field Description