Enabling MAC authentication
The following steps enable MAC authentication and also include certain Flexible authentication configurations specific to MAC authentication.
-
Enter the
configure terminal command to enter global configuration mode.
device# configure terminal
-
Enter the
authentication command to enter authentication mode.
device(config)# authentication
-
Enter the
mac-authentication enable command to enable MAC authentication.
device(config-authen)# mac-authentication enable
-
Enter the
mac-authentication enable
{
all
|
ethernet
stack/slot/pot
} command to enable MAC authentication on all interfaces or a specific interface.
device(config-authen)# mac-authentication enable all
-
(Optional) Enter the
mac-authentication password-format command to configure the format in which the MAC address is sent to the RADIUS server for authentication.
device(config-authen)# mac-authentication password-format xx-xx-xx-xx-xx-xx upper-case
By default, the MAC address is sent to the RADIUS server in the xxxxxxxxxxxx format in lower case. -
(Optional) Enter the
mac-authentication password-override command to specify a user-defined password instead of the MAC address for MAC authentication.
device(config-authen)# mac-authentication password-override ts54fs
The password can contain up to 32 alphanumeric characters, but must not include blank spaces. -
(Optional) Enter the
mac-authentication dot1x-override command to configure the device to perform 802.1X authentication after MAC authentication.
device(config-authen)# mac-authentication dot1x-override
This command is applicable only when the authentication sequence is configured as MAC authentication followed by 802.1X authentication.
If the mac-authentication dot1x-override command is configured, the clients that failed MAC authentication undergo 802.1X authentication if the failure action is configured as a restricted VLAN.
-
(Optional) Enter the
mac-authentication auth-filter command to apply the specified filter on the interface, and the MAC addresses defined in the filter (MAC filter) do not have to go through authentication.
device(config)# interface ethernet 1/1/1 device(config-if-e1000-1/1/1)# mac-authentication auth-filter 1 2
The source MAC addresses defined using the mac filter command are considered pre-authenticated, and are not subject to MAC authentication. A client can be authenticated in an untagged VLAN or tagged VLAN using the MAC address filter for MAC authentication. If the authentication filter has a tagged VLAN configuration, the clients are authenticated in the auth-default VLAN and the tagged VLAN provided in the auth-filter. The clients authorized in the auth-default VLAN allow both untagged and tagged traffic. The auth-filter is defined using the mac-filter command.