Installation Manual
Table Of Contents
- About This Guide
- Overview
- Hardware Overview
- Ethernet Cables
- WEB Management
- Configuration by Web Browser
- About Web-based Management
- Basic Setting
- System Information
- Admin & Password
- Auth Method
- IP Setting
- HTTPS
- SSH
- LLDP
- Backup/Restore Configuration
- Firmware Update
- DHCP Server
- Port Setting
- Port Trunk
- LACP
- Redundancy
- MSTP
- STP
- VLAN
- VLAN Setting Example
- SNMP
- Traffic Prioritization
- Multicast
- Security
- AAA
- RADIUS Overview
- Warning
- System Warning
- Monitor and Diag
- Port Statistic
- System Log Information
- Cable Diagnostics
- SFP Monitor
- Ping
- Syncronization-PTP
- PoE Configuration
- Status
- Factory Defaults
- System Reboot
- Configuration by Web Browser
- Command Line Interface Management
- Technical Specifications
INS_CWGE26FX2TX24MSPOE_REV– 5 Mar 2014 PAGE 92
INSTALLATION AND OPERATION MANUAL CWGE26FX2TX24MSPOE
TECH SUPPORT: 1.888.678.9427
Overview of MAC-Based Authentication
Unlike 802.1X, MAC-based authentication is not a standard, but merely a best-practices method
adopted by the industry. In MAC-based authentication, users are called clients, and the switch
acts as the supplicant on behalf of clients. The initial frame (any kind of frame) sent by a client
is snooped by the switch, which in turn uses the client’s MAC address as both username and
password in the subsequent EAP exchange with the RADIUS server. The 6-byte MAC address
is converted to a string on the following form “xx-xx-xx-xx-xx-xx”, that is, a dash (-) is used as
separator between the lower-cased hexadecimal digits. The switch only supports the MD5-
Challenge authentication method, so the RADIUS server must be configured accordingly.
When authentication is complete, the RADIUS server sends a success or failure indication, which
in turn causes the switch to open up or block traffic for that particular client, using static entries
into the MAC Table. Only then will frames from the client be forwarded on the switch. There are
no EAPOL frames involved in this authentication, and therefore, MAC-based Authentication has
nothing to do with the 802.1X standard.
The advantage of MAC-based authentication over 802.1X is that several clients can be
connected to the same port (e.g. through a 3rd party switch or a hub) and still require individual
authentication, and that the clients don’t need special supplicant software to authenticate. The
disadvantage is that MAC addresses can be spoofed by malicious users, equipment whose MAC
address is a valid RADIUS user can be used by anyone, and only the MD5-Challenge method is
supported.
The 802.1X and MAC-Based Authentication configuration consists of two sections, a system – and
a port-wide