Deployments using MAC Authentication

MAC address authentication is port-based security typically deployed at the edge of the network to enable secure access for devices, such as IP phones, printers, and network attached storage devices. The IPS MAC address authentication solution uses IPS 802.1x framework. When a device connects to a switch, the switch forwards the MAC address as the log in credential to IPS RADIUS server. Using MAC based authentication, the MAC address serves as both the username and the password. The RADIUS server consults the authentication server and sends back a RADIUS return attribute based on the authentication results.

Deployment of IPS using Local MAC Authentication Server

IPS supports MAC address authentication using a local Mac Authentication server. You can configure the IPS server to act as the authentication and policy server for MAC address authentication and optionally a separate directory/attribute server. You cannot use a RADIUS server with outer proxy authentication for MAC address authentication.

The authentication process is described below:

  1. Unmanaged devices connect to network switch.
  2. IPS accepts the device MAC address as username and password using MAC Authentication.
  3. IPS matches the MAC address with the entries either in a local database or external database and then assigns a port connecting the device to a predetermined VLAN or filter id.
  4. If the device MAC address is not found, then IPS places the device in a specified default VLAN.

Deployment of IPS using Profiler

IPS supports the device validation using Profiler. Profiler dynamically identifies and classifies endpoints across managed and unmanaged endpoint devices, so that access to network and resources can be controlled based on the type of the device.

The authentication process is described below:

  1. Profiler discovers and classifies the endpoints on the network.
  2. Unmanaged devices connect to network and the switch sends MAC RADIUS query.
  3. IPS verifies the MAC address in Profiler database.
  4. IPS then assigns role based on device attributes.
  5. IPS assigns the switch port to appropriate VLAN or filter id.

For more information on Profiler, see Ivanti Deployment Guide.