Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Understanding MAC Authentication

Each wireless network interface card (NIC) used by a wireless client has a unique media access control (MAC) address. A client’s MAC address can be used to control access to the access point. MAC authentication can be done either locally or with a RADIUS server. MAC authentication can be the only method of client authentication or it can be performed in addition to other authentication methods. When used in conjunction with other authentication methods, MAC authentication is performed after other authentication.

MAC authentication is configured on a per virtual access point basis and can be set to one of the following options:

• Disabled—No MAC authentication is performed for the virtual access point.
• Local—The client’s MAC address is checked against a global list of client MAC addresses that are allowed or denied access to the network. You configure the list with the station-mac-filter statement in the [edit wlan access-point access-point options] hierarchy. This function is similar to configuring a MAC filter. MAC authentication of a client fails if either an allow-list is specified and the client’s MAC is not in the list, or a deny-list is specified and the client’s MAC is in the list. In either case the client is denied association. The global list is applicable to every virtual access point, but the usage of this list is determined by the MAC authentication mode for each virtual access point.
• RADIUS—The client’s MAC address is checked against a RADIUS server and the globally configured allow or deny action is used. The password NOPASSWORD is used to allow the access point to authenticate the MAC address with the RADIUS server. (This password is global, not per MAC address.) When MAC authentication on the RADIUS server is set to deny mode, the presence of a specified MAC address on the RADIUS server is used to deny network access to that MAC address. If an entry for the client’s MAC address is not found on the RADIUS server, the opposite action of the globally configured action is used.

  MAC entries are configured on the RADIUS server as follows:

  RADIUS Server Attribute	Description	Range	Usage
  User-Name	Ethernet address of the client station	Valid Ethernet MAC address	Required
  User-Password	A fixed password used to look up a client MAC entry	NOPASSWORD	Required