Day One Tips
Highlighted
Day One Tips

Using Mac Authentication / Mac Bypass for non dot1x dvices

[ Edited ]
‎11-13-2010 05:47 AM

You enabld dot1x on your EX Switches , dot1x users are able to connect succesfully after succesful authentication from the Radius Server

What about non dot1x devices ( like a printer ) , You have 3 choices :

 

1-  disable  dot1x on the  Switch ports that will have non dot1 x devices connecting to it ( the disadvantage here is that you need to  specify some ports with non dot1x enabled that may led to any user connecting his PC to it )

 

2- You can use  " mac-radius " option which will tell the switch to try dot1x with the connected device & if it didnot work try mac authentication ( you should have mac authentication database on your Radius server )

 

3-Configure static mac bypass on the switch port  the MAC address of the host is first checked in a local database (a user configured list of MAC addresses). If a match is found, the host is assumed to be successfully authenticated and the interface is opened up for it. No further authentication is done for that host. If a match is not found and 802.1X authentication is enabled on the switch, the switch attempts to authenticate the host through the RADIUS server.


 

Example :

root@EX#set protocols dot1x authenticator interface ge-0/0/0.0

This will enable dot1x on ge-0/0/0

root@EX#set protocols dot1x authenticator interface ge-0/0/1.0 mac-radius

This will enable dot1x on  ge-0/0/1  , but if   a device is connected to this port , the switch will try dot1x  & if it found no response it will try mac authentication

root@EX#set protocols dot1x authenticator static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]

This is for mac bypass configuration

 

Complete dot1x Configuration :

root@EX#set protocols dot1x interface all supplicant multiple

root@EX#set protocols dot1x authenticator authentication-profile-name Test

root@EX#set protocols dot1x authenticator static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]

root@EX#set protocols dot1x authenticator interface ge-0/0/0.0

root@EX#set protocols dot1x authenticator interface ge-0/0/1.0  mac-radius

root@Ex#set access radius-server 10.1.1.1secret XXXX

root@EX#set access profile Test authentication-order radius

root@Ex#set access profile Test radius authentication-server 10.1.1.1