Deployments using MAC Authentication

MAC address authentication is port-based security typically deployed at the edge of the network to enable secure access for devices, such as IP phones, printers, and network attached storage devices. The Ivanti Policy Secure MAC address authentication solution uses Ivanti Policy Secure 802.1x framework. When a device connects to a switch, the switch forwards the MAC address as the log in credential to Ivanti Policy Secure RADIUS server. Using MAC based authentication, the MAC address serves as both the username and the password. The RADIUS server consults the authentication server and sends back a RADIUS return attribute based on the authentication results.

Deployment of Ivanti Policy Secure using Local MAC Authentication Server

Ivanti Policy Secure supports MAC address authentication using a local Mac Authentication server. You can configure the Ivanti Policy Secure server to act as the authentication and policy server for MAC address authentication and optionally a separate directory/attribute server. You cannot use a RADIUS server with outer proxy authentication for MAC address authentication.

The authentication process is described below:

  1. Unmanaged devices connect to network switch.
  2. Ivanti Policy Secure accepts the device MAC address as username and password using MAC Authentication.
  3. Ivanti Policy Secure matches the MAC address with the entries either in a local database or external database and then assigns a port connecting the device to a predetermined VLAN or filter id.
  4. If the device MAC address is not found, then Ivanti Policy Secure places the device in a specified default VLAN.

Deployment of Ivanti Policy Secure using Profiler

Ivanti Policy Secure supports the device validation using Profiler. Profiler dynamically identifies and classifies endpoints across managed and unmanaged endpoint devices, so that access to network and resources can be controlled based on the type of the device.

The authentication process is described below:

  1. Profiler discovers and classifies the endpoints on the network.
  2. Unmanaged devices connect to network and the switch sends MAC RADIUS query.
  3. Ivanti Policy Secure verifies the MAC address in Profiler database.
  4. Ivanti Policy Secure then assigns role based on device attributes.
  5. Ivanti Policy Secure assigns the switch port to appropriate VLAN or filter id.

For more information on Profiler, see Profiler Deployment Guide.