Manualshelf

Specifications

ManualsBrandsExtreme Networks ManualsComputer equipmentAltitude 4000 Series
71727374757677787980
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 Technical Reference Guide
73
7 MAC Based Authentication
The MAC-based authentication is a new feature, designed to further control access to the network
resources for the wireless clients over the Summit WM series switch, access points, and WLAN switch
software system. It is based on the authentication of the client’s MAC address using the same process as
for the user’s RADIUS authentication.
Only authenticated clients – MAC addresses can establish sessions and use network resources as
defined by the rules for the virtual network segment. Depending on the assignment of the virtual
segment (NONE, SSID and AAA), the user’s authentication may be required. The MAC based
authentication, in that sense, is more a form of authentication – giving permission to the wireless clients
to enter the system. If the RADIUS server rejects the authentication, the Summit WM series switch will
send the message to the Altitude AP and the Altitude AP will disconnect the client.
The feature is configurable per WM-AD via GUI as a part of the radius profile definition. It includes the
radius redundancy with up to three radius servers.
It is also designed to work in cases of clients roaming and mobility. A wireless client can be forced to
start the MAC-based authentication when roaming from one Altitude AP to another in the roaming and
mobility cases.
How MAC-based authentication works
1 When a client attempts to associate with a WM-AD which has MAC-based authentication enabled,
the Altitude AP triggers the association request, which will be forwarded through the control plane
to the Security Manager, then to the Radius Client. The Radius Client will send the access request to
the RADIUS server, containing the MAC address of the wireless client for the userId and password.
2 When Authentication Request is received, the Authentication Server validates the request (if it is
coming from the known client – Summit WM series switch) and then decrypts the data packet to
access the user name and password information, in this case the MAC address. This information is
passed to the appropriate security system, which verifies the existence of the user and the
correctness of the password, as well as the authentication type (PAP, CHAP, MS CHAP). Depending
on the server, it can be a UNIX file, Active directory, etc.
3 If an account for the MAC address is defined on the RADIUS server, and it passes the security check,
the RADIUS server will send the access accept to the Summit WM series switch, and the FE will
create an MU session.
4 If the MAC address failed the security check, the RADIUS server will send the access reject to the
Summit WM series switch. Upon receiving the access reject, the Summit WM series switch will send
a message to the Altitude AP and the Altitude AP will disconnect the client.