Overview

MAC authentication is designed to be used at the edge of a network. It provides port-based security measures for protecting private networks and switches from unauthorized access. Because this method does not require clients to run special supplicant software (unlike 802.1X authentication), it is suitable to be used in legacy systems, IoT devices, and temporary access situations where introducing supplicant software is not an attractive option. Only a MAC address is required for authentication.

MAC authentication relies on a RADIUS server to authenticate clients. This technique simplifies access security management by using a master database on a single server to control client access. Up to three RADIUS servers can be used for backup in case access to the primary server fails. It also means that the same credentials can be used for authentication, regardless of which switch or switch port is the current access point into the LAN.

On a port configured for MAC authentication, the switch operates as a port-access authenticator using a RADIUS server, and the Challenge-Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP) protocols. Inbound traffic is processed by the switch alone, until authentication occurs. Some traffic from the switch to an unauthorized client is supported (for example, broadcast or unknown destination packets) before authentication occurs.

MAC authentication allows wireless clients to move between switch ports (for example, moving from one access point to another) without having to reauthenticate.