mac-auth

Profile Config Commands

Enables authentication of a client‘s MAC address on wired ports. When configured, MAC authentication will be enabled on devices using this profile.

To enable MAC address authentication on a device, enter the device‘s configuration mode and execute the mac-auth command.

When enabled, the source MAC address of a device, connected to the specified wired port, is authenticated with the RADIUS server. Once authenticated the device is permitted access to the managed network and packets from the authenticated source are processed. If not authenticated the device is either denied access or provided guest access through the guest VLAN (provided guest VLAN access is configured on the port).

Enabling MAC authentication requires you to first configure a AAA policy specifying the RADIUS server. Configure the client‘s MAC address on the specified RADIUS server. Attach this AAA policy to a profile or a device. Finally, enable MAC authentication on the desired wired port of the device or device-profile.

Only one MAC address is supported for every wired port. Consequently, when one source MAC address is authenticated, packets from all other sources are dropped.

To enable client MAC authentication on a wired port:

  1. Configure the user on the RADIUS server. The following examples create a RADIUS server user entry.

    <DEVICE>(config)#radius-group <RAD-GROUP-NAME>

    <DEVICE>(config-radius-group-<RAD-GROUP-NAME>)#policy vlan <VLAN-ID>

    <DEVICE>(config)#radius-user-pool-policy <RAD-USER-POOL-NAME>

    <DEVICE>(config-radius-user-pool-<RAD-USER-POOL-NAME>)#user <USER-NAME> password <PASSWORD> group <RAD-GROUP-OF-STEP-A>

    Note: The <USER-NAME> and <PASSWORD> should be the client‘s MAC address. This address will be matched against the MAC address of incoming traffic at the specified wired port.

    <DEVICE>(config)#radius-server-policy <RAD-SERVER-POL-NAME>

    <DEVICE>(config-radius-server-policy-<RAD-SERVER-POL-NAME>)#use radius-user-pool-policy <RAD-USER-POOL-OF-STEP-B>
  2. Configure a AAA policy exclusively for wired MAC authentication and specify the authentication (RADIUS) server settings. The following example creates a AAA policy ‘macauth‘ and enters its configuration mode:
    <DEVICE-A>(config)#aaa-policy macauth
    <DEVICE-A>(config-aaa-policy-macauth)#...

    Specify the RADIUS server details.

    <DEVICE-A>(config)#aaa-policy macauth
    <DEVICE-A>(config-aaa-policy-macauth)#authentication server <1-6> [host <IP>|onboard]
  3. Attach the AAA policy to the device or profile. When attached to a profile, the AAA policy is applied to all devices using this profile.
    <DEVICE>(config-device-aa-bb-cc-dd-ee)#mac-auth use aaa-policy macauth
    <DEVICE>(config-profile-<DEVICE-PROFILE-NAME>)#mac-auth use aaa-policy macauth
  4. Enable mac-auth on the device‘s desired GE port. When enabled on a profile, MAC address authentication is enabled, on the specified GE port, of all devices using this profile.
    <DEVICE>(config-device-aa-bb-cc-dd-ee)#interface ge x
    <DEVICE>(config-device-aa-bb-cc-dd-ee-gex)#mac-auth
    
    <DEVICE>(config-profile-<PROFILE-NAME>)#interface ge x
    <DEVICE>(config-profile-<PROFILE-NAME>)#mac-auth

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

mac-auth use aaa-policy <AAA-POLICY-NAME>

Parameters

mac-auth use aaa-policy <AAA-POLICY-NAME>
mac-auth Enables 802.1X authentication of MAC addresses on this profile. Use the device configuration mode to enable this feature on a device.
use aaa-policy <AAA-POLICY-NAME> Associates an existing AAA policy with this profile (or device)

<AAA-POLICY NAME> – Specify the AAA policy name.

The AAA policy used should be created especially for MAC authentication.

Example

The following examples demonstrate the configuration of authentication of MAC addresses on wired ports:

rfs4000-229D58(config-aaa-policy-mac-auth)#authentication server 1 onboard controller

rfs4000-229D58(config-aaa-policy-mac-auth)#show context
aaa-policy mac-auth
 authentication server 1 onboard controller
rfs4000-229D58(config-aaa-policy-mac-auth)#

rfs4000-229D58(config)#radius-group RG
rfs4000-229D58(config-radius-group-RG)#policy vlan 11

rfs4000-229D58(config-radius-group-RG)#show context
radius-group RF
 policy vlan 11
rfs4000-229D58(config-radius-group-RG)#

rfs4000-229D58(config)#radius-user-pool-policy RUG
rfs4000-229D58(config-radius-user-pool-RUG)#user 00-16-41-55-F8-5D password 0
0-16-41-55-F8-5D group RG

rfs4000-229D58(config-radius-user-pool-RUG)#show context
radius-user-pool-policy RUG
 user 00-16-41-55-F8-5D password 0 00-16-41-55-F8-5D group RG
rfs4000-229D58(config-radius-user-pool-RUG)#

rfs4000-229D58(config)#radius-server-policy RS
rfs4000-229D58(config-radius-server-policy-RS)#use radius-user-pool-policy RUG

rfs4000-229D58(config-radius-server-policy-RS)#show context
radius-server-policy RS
 use radius-user-pool-policy RUG
rfs4000-229D58(config-radius-server-policy-RS)#

rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge4)#show context
 interface ge4
  dot1x authenticator host-mode single-host
  dot1x authenticator port-control auto
  mac-auth
rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge4)#

rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge5)#show context
 interface ge5
  switchport mode access
  switchport access vlan 1
  dot1x authenticator host-mode single-host
  dot1x authenticator guest-vlan 5
  dot1x authenticator port-control auto
  mac-auth
rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge5)#

rfs4000-229D58(config-device-00-23-68-22-9D-58)#show macauth interface ge 4
Mac Auth info for interface GE4
-----------------------------------
 Mac Auth Enabled
 Mac Auth Authorized Client MAC 00-16-41-55-F8-5D

rfs4000-229D58(config-device-00-23-68-22-9D-58)#

rfs4000-229D58(config-device-00-23-68-22-9D-58)#show macauth interface ge 5
Mac Auth info for interface GE5
-----------------------------------
 Mac Auth Enabled
 Mac Auth Not Authorized

rfs4000-229D58(config-device-00-23-68-22-9D-58)#

Related Commands

no Disables authentication of MAC addresses on wired ports settings on this profile (or device)