How to configure MAC Authentication via Nebula Cloud Authentication Server (NCAS) on Nebula switch

Zyxel_Adam Posts: 339  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer
edited June 2023 in Network Security

MAC-based authentication is a powerful security feature that allows you to manage network access based on the MAC addresses of connected devices. By implementing MAC-based authentication, you can strengthen your network's security and ensure that only authorized devices are permitted to connect.

Topology and Scenario:
Imagine a typical network setup with Zyxel switches and access points. In this scenario, you want to enforce strict access control measures based on device MAC addresses. This type of authentication is particularly beneficial in environments where physical security is vital, such as offices, educational institutions, or public areas.

The laptop on the left (Green) represents an authed device, and the laptop on the right (Red) represents an illegal device trying to access the network.


  • Access to Nebula Control Center
  • Navigate to Configure > Switches > Authentication page and set up the Authentication Server to utilize the Nebula cloud authentication server (NCAS) as the central authentication service. This ensures seamless processing of all authentication requests through the cloud.
  • In the Authentication Policy section of the Authentication page, define a policy specifically for MAC-based authentication. This policy will establish the rules for granting network access based on MAC addresses.

*You could check the Model list to see the current support models.

  • Configure Switch Ports: Once the MAC-based authentication policy is created, choose port type "Access" and apply the MAC-based authentication policy on desired ports you established in the previous step.

  • Create MAC accounts in to Cloud authentication > MAC tab that suppose to be allowed to access the network. You cloud create it from either paths
    • Configure > Cloud authentication > MAC tab
    • Organization-wide manage > Cloud authentication > MAC tab

Verification and Noted:
To ensure the successful configuration of MAC-based authentication, follow these verification steps:

  1. Connect a device to a port that requires MAC authentication.
  2. The device will be automatically authenticated based on its MAC address.
  3. If the device's MAC address matches any of the allowed MAC addresses specified in the authentication policy, network access will be granted. If there is no match, access will be denied.

You could also check authenticated status by accessing to switch (telnet, SSH, or console), and using the command

show cloud authentication

As you can see the Red laptop is getting denied in accessing the network, and the Green laptop is granting the network access.

Note that MAC-based authentication eliminates the need for users to manually enter their MAC addresses when connecting their devices. The authentication process occurs seamlessly in the background, providing a user-friendly experience.

By following these configuration steps, you can effectively implement MAC-based authentication on your Zyxel networking devices, bolstering network security and controlling access based on MAC addresses.