Differences between port authentication and MAC address authentication on S series switches

16

The 802.1x protocol is a port-based network access control protocol that authenticates access users on ports of an access control device to control access to network resources. As a result, 802.1x authentication is also called port authentication.
MAC address authentication controls a user's network access rights based on the access port and the user's MAC address. After MAC address authentication is enabled on a port, the device starts authentication for a user when it detects the MAC address of the user on the port.
For S series switches (except the S1700), differences between port authentication and MAC address authentication are as follows:
- Port authentication requires secure 802.1x client software, but MAC address authentication does not require any client software.
- Port authentication requires a user to enter the user name and password in the 802.1x client, but MAC address authentication does not require the user to enter the user name or password.
- MAC address authentication is mainly used for access authentication of dumb terminals where clients cannot be installed, such as printers and scanners.

Other related questions:
Differences between interface authentication and area authentication for OSPF on S series switches
Rules for OSPF authentication on S series switches supporting OSPF are as follows: If an interface is configured with authentication, the authentication method configured on the interface is used. If the authentication is set to null, the interface is not authenticated. If the interface is not configured with authentication (null does not indicate no configuration), area authentication is used. If the area is not configured with authentication either, no authentication is performed.

S series switches' support for MAC address authentication
S series switches (except the S1700) support MAC address authentication as follows: - In V100R006, switches except the S2700SI and S2710SI support MAC address authentication. - In versions later than V100R006, all switches support MAC address authentication.

Configure MAC address bypass authentication on S series switch
On S series switches (except S1700), you can enable MAC address bypass authentication for terminals such as printers on which the 802.1x client software cannot be installed or used to allow these terminals to access the network. For example, if a large number of PCs and a small number of dumb terminals are connected to GE1/0/1 and GE1/0/5, to ensure that the PCs and dumb terminals access the network, you can enable 802.1x authentication and MAC address bypass authentication on GE1/0/1 and GE1/0/5. The following describes the configuration: - Configure multiple interfaces in a batch in the system view. [HUAWEI] dot1x enable [HUAWEI] dot1x enable interface gigabitethernet 1/0/1 gigabitethernet 1/0/5 [HUAWEI] dot1x mac-bypass interface gigabitethernet 1/0/1 gigabitethernet 1/0/5 - Configure each interface in the interface view. [HUAWEI] dot1x enable [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] dot1x enable [HUAWEI-GigabitEthernet1/0/1] dot1x mac-bypass [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] interface gigabitethernet 1/0/5 [HUAWEI-GigabitEthernet 1/0/5] dot1x enable [HUAWEI-GigabitEthernet 1/0/5] dot1x mac-bypass Precautions: 1. In addition to performing the preceding configuration, you still need to add MAC addresses of terminals on the authentication server. For details, see the configuration guide of the authentication server. 2. In V200R005C00 and later version, S series switches support MAC address bypass authentication only in NAC traditional configuration mode.

How to add a MAC address for MAC address authentication on S series switches
For S series switches (except the S1700), if a new MAC address entry is generated after MAC address authentication is configured on an interface, MAC address authentication will be performed for the MAC address. You can perform the following operations to add a MAC address for MAC address authentication. [HUAWEI] interface Vlanif 10 [HUAWEI-Vlanif10] mac-authen permit mac-address 1111-1111-1111 mask 24

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top