Understanding MAC Address Authentication

Concept

When an SSL VPN user accesses the virtual gateway, the virtual gateway authenticates the user, based on either the user name and password or the certificate. MAC address authentication additionally authenticates the physical MAC address of the user terminal after the preceding user authentication is completed.

Purpose

MAC address authentication allows only authorized terminals to access the intranet, preventing potential risks caused by unauthorized terminals. MAC address authentication is optional.

To implement MAC address authentication, you need to bind user groups with MAC address groups on the SSL VPN virtual gateway. The virtual gateway examines the MAC address of the authentication request of a user, determine the user group based on the user name, and then determines the MAC address group bound with the user group. If the MAC address of the user terminal can be found in the MAC address group, the user passes the terminal authentication and goes online normally. If the virtual gateway does not find the MAC address, the authentication fails, and the virtual gateway rejects the user's login request.

If the user host has multiple real NICs, the virtual gateway authenticates the MAC address carried in the authentication request, which is the MAC address of the user's current NIC.