xStack
®
DGS-3400 Series Layer 2 Gigabit Ethernet Managed Switch
264
MAC-based Access Control (MAC)
The MAC-based Access Control feature will allow users to configure a list of MAC addresses, either locally or on a remote
RADIUS server, to be authenticated by the Switch and given access rights based on the configurations set on the Switch of the
target VLAN where these authenticated users are placed.
For local authentication on the Switch, the user must enter a list of MAC addresses to be accepted through this mechanism using
the MAC-based Access Control Local Database Settings window, as seen below. The user may enter up to 128 MAC addresses
locally on the Switch. Once a MAC addresses has been authenticated by the Switch on the local side, the port where that MAC
address resides will be placed in the previously configured target VLAN, where the rights and privileges are set by the switch
administrator. If the VLAN Name for the target VLAN is not found by the Switch, the Switch will return the port containing that
MAC address to the originating VLAN. If the MAC address is not found and the port is in the Guest VLAN, it will remain in the
Guest VLAN, with the associated rights. If the port is not in the guest VLAN, this MAC address will be blocked by the Switch.
For remote RADIUS server authentication, the user must first configure the RADIUS server with a list of MAC addresses and
relative target VLANs that are to be authenticated on the Switch. Once a MAC address has been discovered by the Switch, the
Switch will then query the remote RADIUS server with this potential MAC address, using a RADIUS Access Request packet. If a
match is made with this MAC address, the RADIUS server will return a notification stating that the MAC address has been
accepted and is to be placed in the target VLAN. If the VID for the target VLAN is not found, the Switch will return the port
containing the MAC address to the original VLAN. If the MAC address is not found, and if the port is in the Guest VLAN, it will
remain in the Guest VLAN, with the associated rights. If the port is not in the guest VLAN, this MAC address will be blocked by
the Switch.
Notes about MAC-based Access Control
There are certain limitations and regulations regarding the MAC-based Access Control:
1.
Once this feature is enabled for a port, the Switch will clear the FDB of that port.
2.
MAC-based Access Control is its own entity and is not dependant on other authentication functions on the Switch, such
as 802.1X, Web-Based authentication etc.
3.
Ports that have been enabled for Link Aggregation, stacking, 802.1X authentication, 802.1X Guest VLAN, Port Security,
GVRP or Web-based authentication cannot be enabled for the MAC-based Authentication.
MAC-based Access Control Global Settings
The following window is used to set the parameters for the MAC-based Access Control function on the Switch. Here the user can
set the state, password, authentication method, as well as create, configure or delete Guest VLANs.
To view this window, click
Security > MAC Based Access Control > MAC Based Access Control Global Settings
, as shown
below: