How MAC authentication works

MAC authentication grants access to a secure network by authenticating devices. When a device connects to the switch, either by direct link or through the network, the switch forwards the device MAC address to the RADIUS server for authentication. The RADIUS server uses the device MAC address as the user name and password, and grants or denies network access in the same way that it does for clients capable of interactive logons. The process does not use a client device configuration or a logon session. MAC authentication is well suited for clients not capable of providing interactive logons, such as telephones, printers, and wireless access points. Also, because most RADIUS servers allow for authentication to depend on the source switch and port through which the client connects to the network, you can use MAC authentication to lock a particular device to a specific switch and port.


802.1X port access and MAC authentication can be configured at the same time on a port. A total of 256 clients can be configured per port and 16,384 clients on the entire switch, irrespective of the authentication method. After the limit of 16,384 clients is reached, no additional authentication clients are allowed on any port for any method. The default is one client.

MAC authentication, MAC lockout, and port security are mutually exclusive on a given port. If you configure any of these authentication methods on a port, you must disable LACP on the port.

How RADIUS server is used in MAC authentication

MAC authentication uses a RADIUS server to temporarily assign a port to a static VLAN to support an authenticated client. During client authentication, the switch port membership is determined according to the following hierarchy:

  • A RADIUS-assigned VLAN.

  • A static, port-based, untagged VLAN to which the port is configured. A RADIUS-assigned VLAN has priority over switch-port membership in any VLAN.