Configuring the global MAC authentication password

MAC authentication requires that only a single entry containing the username and password is placed in the user database with the device's MAC address. This creates an opportunity for malicious device spoofing. The global password option configures a common MAC authentication password to use for all MAC authentications sent to the RADIUS server. This makes spoofing more difficult.

It is important that when implementing the global MAC authentication password option, that the user database on the RADIUS server has this password as the password for each device performing MAC authentication.

Syntax:


[no] aaa port-access mac-based password <password-value>

Specifies the global password to be used by all MAC authenticating devices.

The [no] form of the command disables the feature.

Configuring a global MAC authentication password

Switch(config)#aaa port-access mac-based password secretMAC1

Switch(config)#show port-access mac-based config

Port Access MAC-Based Configuration

MAC Address Format : no-delimiter
Password           : secretMAC1

Unauth Redirect Configuration URL :

Unauth Redirect Client Timeout (sec) : 1800
Unauth Redirect Restrictive Filter : Disabled
Total Unauth Redirect Client Count : 0

              Client Client Logoff  Re-Auth Unauth  Auth    Cntrl
Port  Enabled Limit  Moves  Period  Period  VLAN ID VLAN ID Dir
----- ------- ------ ------ ------- ------- ------- ------- -----
1     No      1      No     300     0       0       0       both
2     No      1      No     300     0       0       0       both
3     No      1      No     300     0       0       0       both
4     No      1      No     300     0       0       0       both
5     No      1      No     300     0       0       0       both
6     No      1      No     300     0       0       0       both
7     No      1      No     300     0       0       0       both
8     No      1      No     300     0       0       0       both
NOTE:

The password value will display in an exported config file when include-credentials is enabled.