MAC authentication using accept list HowTo

Introduction

This document describes a setup of MAC authentication using a local MAC accept list to authorise MAC addresses.

Overview

For an overview of all available configuration settings for Port Access Control, refer to the configuration section in the Port Access Control Guide.

Below is the topology of the devices in this setup.

                                        |
                                      .--.-.
                                     ( (    )__
                                   (_,  \ ) ,_)
                                     '-'--`--'
                                        | GW 10.0.2.1
                                        |    VLAN 2
                                        |    10.0.2.0/24
                                        | 10.0.2.2
 Authenticator  .--+------+------+------+--.
(Switch/Router) |  5      6      7      8  |
with Accept-List|           WeOS           |
   10.0.1.1     |  1      2      3      4  |
                '--+------+------+------+--'
                   X      X      X      X  <== Controlled Ports
                   |    VLAN 1              (All Blocked by
                   |    10.0.1.0/24          Authenticator)
                .--+-.
                | H1 | (Host/Supplicant)
                '----' IP 10.0.1.43/24
                       GW 10.0.1.1

Figure 1: A basic setup of port access control using MAC Authentication. Ports eth1-eth4 are controlled. Here ports eth1-eth7 are on VLAN 1 and eth8 is on VLAN 2, but they could be on the same VLAN.

Configuration

First VLANs and IP addresses of the WeOS router is configured, see Figure 1 above. It is assumed that all ports are assigned (untagged) to VLAN 1 from start. For more information, see VLAN configuration.

example:/#> config
example:/config/#> vlan 2
example:/config/vlan-2/#> untagged eth8
example:/config/vlan-2/#> end
example:/config/#> iface vlan1
example:/config/iface-vlan1/#> no inet
example:/config/iface-vlan1/#> inet static 10.0.1.1/24
example:/config/iface-vlan1/inet-static-10.0.1.1/#> end
example:/config/iface-vlan1/#> end
example:/config/#> iface vlan2
example:/config/iface-vlan2/#> inet static 10.0.2.2/24
example:/config/iface-vlan2/inet-static-10.0.2.2/#> end
example:/config/iface-vlan2/#> end
example:/config/#> ip
example:/config/ip/#> route default 10.0.2.1
example:/config/ip/#> leave
example:/#>

A MAC authentication list configured. This is done in the AAA context.

example:/#> config
example:/config/#> aaa
example:/config/aaa/#> mac-auth 1
example:/config/aaa/mac-auth-1/#> mac match 00:80:c8:3c:25:b8 description "My PC"
example:/config/aaa/mac-auth-1/#> leave
example:/config/#> leave
example:/#>

See MAC match Settings for more information on how to configure a MAC authentication list.

With a MAC authentication list created, enabling MAC Authentication on ports eth1-eth4 can be done as follows.

example:/#> config
example:/config/#> port-access
Creating new Port Access instance 1.
example:/config/port-access-1/#> port eth1..eth4
example:/config/port-access-1/#> description "Site A"
example:/config/port-access-1/#> port-method mac-based
example:/config/port-access-1/#> mac-authentication
example:/config/port-access-1/mac-auth/#> accept-list 1
example:/config/port-access-1/mac-auth/#> leave
example:/#>

Port Method

In this example we explicitly set the port method to mac-based, which is also the default setting. With this method, each individual client must be authenticated and its MAC address is unlocked on the port. For more information about port methods, see Port Method.

Status

Port access status can be shown by issuing show port-access in the admin context.

example:/#> show port-access
Number of Port Access Instances: 1
Table Instance Dividers        : Disabled

╒ 802.1X Authentications ════════════════════════════════════════════════════╕
│#  MAC-ADDRESS        SUPPLICANT    PORT    SERVER           DATE-ADDED     │
│No authenticated 802.1X clients found.                                      │
└────────────────────────────────────────────────────────────────────────────┘

╒ MAC Auth Authentications ══════════════════════════════════════════════════╕
│#  MAC-ADDRESS        PORT    METHOD                         DATE-ADDED     │
│1  00:80:c8:3c:25:b8  eth1    Whitelist                      Nov 22 18:40:21│
└────────────────────────────────────────────────────────────────────────────┘

╒ Ports ═════════════════════════════════════════════════════════════════════╕
│PORT    METHOD      STATE                           AUTHENTICATED-MAC       │
│eth1    MAC Based   1 Authentication                00:80:c8:3c:25:b8       │
│eth2    MAC Based   0 Authentications               -                       │
│eth3    MAC Based   0 Authentications               -                       │
│eth4    MAC Based   0 Authentications               -                       │
└────────────────────────────────────────────────────────────────────────────┘

╒ VLAN Assignment ═══════════════════════════════════════════════════════════╕
│PORT    ENABLED  STATE       FROM     ASSIGNING-CLIENT   VLAN               │
│eth1    No       Unassigned  -        -                  -                  │
│eth2    No       Unassigned  -        -                  -                  │
│eth3    No       Unassigned  -        -                  -                  │
│eth4    No       Unassigned  -        -                  -                  │
└────────────────────────────────────────────────────────────────────────────┘

- Use 'show port-access audit' to display related events in the audit log.
- Use 'show port-access INSTANCE' to show details for a specific instance.
- Use 'port-access instance-dividers' to enable dividers between instances
  in the tables.
example:/#>

For more information about the status output and the different tables, see Port Access Control Status.