mac-auth

Profile Config Commands

Enables authentication of a client‘s MAC address on wired ports. When configured, MAC authentication will be enabled on devices using this profile.

To enable MAC address authentication on a device, enter the device‘s configuration mode and execute the mac-auth command.

When enabled, the source MAC address of a device, connected to the specified wired port, is authenticated with the RADIUS server. Once authenticated the device is permitted access to the managed network and packets from the authenticated source are processed. If not authenticated the device is either denied access or provided guest access through the guest VLAN (provided guest VLAN access is configured on the port).

Enabling MAC authentication requires you to first configure a AAA policy specifying the RADIUS server. Configure the client‘s MAC address on the specified RADIUS server. Attach this AAA policy to a profile or a device. Finally, enable MAC authentication on the desired wired port of the device or device-profile.

Only one MAC address is supported for every wired port. Consequently, when one source MAC address is authenticated, packets from all other sources are dropped.

To enable client MAC authentication on a wired port:

  1. Configure the user on the RADIUS server. The following examples create a RADIUS server user entry.

    <DEVICE>(config)#radius-group <RAD-GROUP-NAME>

    <DEVICE>(config-radius-group-<RAD-GROUP-NAME>)#policy vlan <VLAN-ID>

    <DEVICE>(config)#radius-user-pool-policy <RAD-USER-POOL-NAME>

    <DEVICE>(config-radius-user-pool-<RAD-USER-POOL-NAME>)#user <USER-NAME> password <PASSWORD> group <RAD-GROUP-OF-STEP-A>

    Note: The <USER-NAME> and <PASSWORD> should be the client‘s MAC address. This address will be matched against the MAC address of incoming traffic at the specified wired port.

    <DEVICE>(config)#radius-server-policy <RAD-SERVER-POL-NAME>

    <DEVICE>(config-radius-server-policy-<RAD-SERVER-POL-NAME>)#use radius-user-pool-policy <RAD-USER-POOL-OF-STEP-B>
  2. Configure a AAA policy exclusively for wired MAC authentication and specify the authentication (RADIUS) server settings. The following example creates a AAA policy ‘macauth‘ and enters its configuration mode:
    <DEVICE-A>(config)#aaa-policy macauth
<DEVICE-A>(config-aaa-policy-macauth)#...

    Specify the RADIUS server details.

    <DEVICE-A>(config)#aaa-policy macauth
<DEVICE-A>(config-aaa-policy-macauth)#authentication server <1-6> [host <IP>|onboard]
  3. Attach the AAA policy to the device or profile. When attached to a profile, the AAA policy is applied to all devices using this profile.
    <DEVICE>(config-device-aa-bb-cc-dd-ee)#mac-auth use aaa-policy macauth
<DEVICE>(config-profile-<DEVICE-PROFILE-NAME>)#mac-auth use aaa-policy macauth
  4. Enable mac-auth on the device‘s desired GE port. When enabled on a profile, MAC address authentication is enabled, on the specified GE port, of all devices using this profile.
    <DEVICE>(config-device-aa-bb-cc-dd-ee)#interface ge x
<DEVICE>(config-device-aa-bb-cc-dd-ee-gex)#mac-auth

<DEVICE>(config-profile-<PROFILE-NAME>)#interface ge x
<DEVICE>(config-profile-<PROFILE-NAME>)#mac-auth

Supported on the following devices:

Syntax

mac-auth use aaa-policy <AAA-POLICY-NAME>

Parameters

mac-auth use aaa-policy <AAA-POLICY-NAME>
mac-auth Enables 802.1X authentication of MAC addresses on this profile. Use the device configuration mode to enable this feature on a device.
use aaa-policy <AAA-POLICY-NAME> Associates an existing AAA policy with this profile (or device)

<AAA-POLICY NAME> – Specify the AAA policy name.

The AAA policy used should be created especially for MAC authentication.

Example

The following examples demonstrate the configuration of authentication of MAC addresses on wired ports:

nx9500-6C8809(config-aaa-policy-mac-auth)#authentication server 1 onboard controller

nx9500-6C8809(config-aaa-policy-mac-auth)#show context
aaa-policy mac-auth
 authentication server 1 onboard controller
nx9500-6C8809(config-aaa-policy-mac-auth)#

nx9500-6C8809(config)#radius-group RG
nx9500-6C8809(config-radius-group-RG)#policy vlan 11

nx9500-6C8809(config-radius-group-RG)#show context
radius-group RF
 policy vlan 11
nx9500-6C8809(config-radius-group-RG)#

nx9500-6C8809(config)#radius-user-pool-policy RUG
nx9500-6C8809(config-radius-user-pool-RUG)#user 00-16-41-55-F8-5D password 0
0-16-41-55-F8-5D group RG

nx9500-6C8809(config-radius-user-pool-RUG)#show context
radius-user-pool-policy RUG
 user 00-16-41-55-F8-5D password 0 00-16-41-55-F8-5D group RG
nx9500-6C8809(config-radius-user-pool-RUG)#

nx9500-6C8809(config)#radius-server-policy RS
nx9500-6C8809(config-radius-server-policy-RS)#use radius-user-pool-policy RUG

nx9500-6C8809(config-radius-server-policy-RS)#show context
radius-server-policy RS
 use radius-user-pool-policy RUG
nx9500-6C8809(config-radius-server-policy-RS)#

nx9500-6C8809(config-device-00-23-68-22-9D-58-if-ge4)#show context
 interface ge4
  dot1x authenticator host-mode single-host
  dot1x authenticator port-control auto
  mac-auth
nx9500-6C8809(config-device-00-23-68-22-9D-58-if-ge4)#

rnx9500-6C8809(config-device-00-23-68-22-9D-58-if-ge5)#show context
 interface ge5
  switchport mode access
  switchport access vlan 1
  dot1x authenticator host-mode single-host
  dot1x authenticator guest-vlan 5
  dot1x authenticator port-control auto
  mac-auth
nx9500-6C8809(config-device-00-23-68-22-9D-58-if-ge5)#

nx9500-6C8809(config-device-00-23-68-22-9D-58)#show macauth interface ge 4
Mac Auth info for interface GE4
-----------------------------------
 Mac Auth Enabled
 Mac Auth Authorized Client MAC 00-16-41-55-F8-5D

nx9500-6C8809(config-device-00-23-68-22-9D-58)#

nx9500-6C8809(config-device-00-23-68-22-9D-58)#show macauth interface ge 5
Mac Auth info for interface GE5
-----------------------------------
 Mac Auth Enabled
 Mac Auth Not Authorized

nx9500-6C8809(config-device-00-23-68-22-9D-58)#

Related Commands

no Disables authentication of MAC addresses on wired ports settings on this profile (or device)
9037762-01 Rev AA