1-3MAC authentication supports MAC-based guest VLAN (MGV). With MGV configured on a port, usersfailing the authentication on the port are authorized to access the resources in the guest VLAN.If a user in the guest VLAN initiates another authentication process but fails the authentication, thedevice will keep the user in the guest VLAN. If the user passes the authentication, the device will addthe user to the assigned VLAN or return the user to its original VLAN, depending on whether theauthentication server assigns a VLAN.ACL AssigningACLs assigned by an authorization server are referred to as authorization ACLs, which are designed tocontrol access to network resources. If the RADIUS server is configured with authorization ACLs, thedevice will permit or deny data flows traversing through the port through which a user accesses thedevice according to the authorization ACLs. You can change access rights of users by modifyingauthorization ACL settings on the RADIUS server.Configuring MAC AuthenticationConfiguration Prerequisitesz Create and configure an ISP domain.z For local authentication, create the local users and configure the passwords.z For RADIUS authentication, ensure that a route is available between the device and the RADIUSserver, and add the usernames and passwords on the server.When adding usernames and passwords on the device or server, ensure that:z The type of username and password must be consistent with that used for MAC authentication.z All the letters in the MAC address to be used as the username and password must be in lowercase.z The service type of the local users must be configured as lan-access.Configuration ProcedureFollow these steps to configure MAC authentication:To do… Use the command… RemarksEnter system view system-view —Enable MAC authenticationglobally mac-authentication RequiredDisabled by defaultmac-authentication interfaceinterface-listEnable MAC authenticationfor specified portsinterface interface-typeinterface-numbermac-authenticationquitRequiredUse either approach.Disabled by defaultSpecify the ISP domain for mac-authentication domain isp-name Optional