Enabling MAC authentication

The following steps enable MAC authentication and also include certain Flexible authentication configurations specific to MAC authentication.

  1. Enter the configure terminal command to enter global configuration mode. 
    device# configure terminal
  2. Enter the authentication command to enter authentication mode. 
    device(config)# authentication
  3. Enter the mac-authentication enable command to enable MAC authentication. 
    device(config-authen)# mac-authentication enable
  4. Enter the mac-authentication enable { all | ethernet stack/slot/pot } command to enable MAC authentication on all interfaces or a specific interface. 
    device(config-authen)# mac-authentication enable all
  5. (Optional) Enter the mac-authentication password-format command to configure the format in which the MAC address is sent to the RADIUS server for authentication. 
    device(config-authen)# mac-authentication password-format xx-xx-xx-xx-xx-xx upper-case
    By default, the MAC address is sent to the RADIUS server in the xxxxxxxxxxxx format in lower case.
  6. (Optional) Enter the mac-authentication password-override command to specify a user-defined password instead of the MAC address for MAC authentication. 
    device(config-authen)# mac-authentication password-override ts54fs
    The password can contain up to 32 alphanumeric characters, but must not include blank spaces.
  7. (Optional) Enter the mac-authentication dot1x-override command to configure the device to perform 802.1X authentication after MAC authentication. 
    device(config-authen)# mac-authentication dot1x-override

    This command is applicable only when the authentication sequence is configured as MAC authentication followed by 802.1X authentication.

    If the mac-authentication dot1x-override command is configured, the clients that failed MAC authentication undergo 802.1X authentication if the failure action is configured as a restricted VLAN.

  8. (Optional) Enter the mac-authentication auth-filter command to apply the specified filter on the interface, and the MAC addresses defined in the filter (MAC filter) do not have to go through authentication. 
    device(config)# interface ethernet 1/1/1
device(config-if-e1000-1/1/1)# mac-authentication auth-filter 1 2

    The source MAC addresses defined using the mac filter command are considered pre-authenticated, and are not subject to MAC authentication. A client can be authenticated in an untagged VLAN or tagged VLAN using the MAC address filter for MAC authentication. If the authentication filter has a tagged VLAN configuration, the clients are authenticated in the auth-default VLAN and the tagged VLAN provided in the auth-filter. The clients authorized in the auth-default VLAN allow both untagged and tagged traffic. The auth-filter is defined using the mac-filter command.

Parent topic: Configuring Flexible authentication