456 CHAPTER 21: CONFIGURING AAA FOR NETWORK USERSConfiguringAuthentication andAuthorization byMAC AddressYou must sometimes authenticate users based on the MAC addresses oftheir devices rather than a username-password or certificate. Forexample, some Voice-over-IP (VoIP) phones and personal digital assistants(PDAs) do not support 802.1X authentication. If a client does not support802.1X, MSS attempts to perform MAC authentication for the clientinstead. The WX switch can discover the MAC address of the device fromreceived frames and can use the MAC address in place of a username forthe client.Users authorized by MAC address require a MAC authorization passwordif RADIUS authentication is desired. By default, MSS assumes that theMAC address for a MAC user is also the password.CAUTION: Use this method with care. IEEE 802.11 frames can be forgedand can result in unauthorized network access if MAC authentication isemployed.Adding and ClearingMAC Users and UserGroups LocallyMAC users and groups can gain network access only through the WXswitch. They cannot create administrative connections to the WX switch.A MAC user is created in a similar fashion to other local users except forhaving a MAC address instead of a username. MAC user groups arecreated in a similar fashion to other local user groups.(To create a MAC user profile or MAC user group on a RADIUS server, seethe documentation for your RADIUS server.)Adding MAC Users and GroupsTo create a MAC user group in the local WX database, you mustassociate it with an authorization attribute and value. Use the followingcommand:set mac-usergroup group-name attr attribute-name valueFor example, to create a MAC user group called mac-easters with a3000-second Session-Timeout value, type the following command:WX1200# set mac-usergroup mac-easters attrsession-timeout 3000success: change accepted.To configure a MAC user in the local database and optionally add theuser to a group, use the following command:set mac-user mac-addr [group group-name]
