BigIron RX Series Configuration Guide 92553-1002253-01Chapter31Configuring Multi-Device Port AuthenticationHow multi-device port authentication worksMulti-device port authentication is a way to configure a BigIron RX to forward or block traffic from aMAC address based on information received from a RADIUS server.The multi-device port authentication feature is a mechanism by which incoming traffic originatingfrom a specific MAC address is switched or forwarded by the device only if the source MAC addressis successfully authenticated by a RADIUS server. The MAC address itself is used as the usernameand password for RADIUS authentication; the user does not need to provide a specific usernameand password to gain access to the network. If RADIUS authentication for the MAC address issuccessful, traffic from the MAC address is forwarded in hardware.If the RADIUS server cannot validate the user's MAC address, then it is considered anauthentication failure, and a specified authentication-failure action can be taken. The defaultauthentication-failure action is to drop traffic from the non-authenticated MAC address inhardware. You can also configure the device to move the port on which the non-authenticated MACaddress was learned into a restricted or “guest” VLAN, which may have limited access to thenetwork.RADIUS authenticationThe multi-device port authentication feature communicates with the RADIUS server to authenticatea newly found MAC address. The device supports multiple RADIUS servers; if communication withone of the RADIUS servers times out, the others are tried in sequential order. If a response from aRADIUS server is not received within a specified time (by default, 3 seconds) the RADIUS sessiontimes out, and the device retries the request up to three times. If no response is received, the nextRADIUS server is chosen, and the request is sent for authentication.The RADIUS server is configured with the usernames and passwords of authenticated users. Formulti-device port authentication, the username and password is the MAC address itself; that is, thedevice uses the MAC address for both the username and the password in the request sent to theRADIUS server. For example, given a MAC address of 0007e90feaa1, the users file on the RADIUSserver would be configured with a username and password both set to 0007e90feaa1. Whentraffic from this MAC address is encountered on a MAC-authentication-enabled interface, thedevice sends the RADIUS server an Access-Request message with 0007e90feaa1 as both theusername and password. The format of the MAC address sent to the RADIUS server is configurablethrough the CLI.The request for authentication from the RADIUS server is successful only if the username andpassword provided in the request matches an entry in the users database on the RADIUS server.When this happens, the RADIUS server returns an Access-Accept message back to the device.When the RADIUS server returns an Access-Accept message for a MAC address, that MAC addressis considered authenticated, and traffic from the MAC address is forwarded normally by the device.