Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Static MAC Bypass of 802.1X and MAC RADIUS Authentication

 

Junos OS allows you to configure access to your LAN through 802.1X-configured interfaces without authentication, by configuring a static MAC bypass list on the EX Series switch. The static MAC bypass list, also known as the exclusion list, specifies MAC addresses that are allowed on the switch without sending a request to an authentication server. For more information, read this topic.

Configuring Static MAC Bypass of 802.1X and MAC RADIUS Authentication (CLI Procedure)

You can configure a static MAC bypass list (sometimes called the exclusion list) on the switch to specify MAC addresses of devices allowed access to the LAN without 802.1X or MAC RADIUS authentication requests to the RADIUS server.

To configure the static MAC bypass list:

  • Specify a MAC address to bypass authentication:

    [edit protocols dot1x]

    user@switch# set authenticator static 00:04:0f:fd:ac:fe
  • Configure a supplicant to bypass authentication if it is connected through a particular interface:

    [edit protocols dot1x]

    user@switch# set authenticator static 00:04:0f:fd:ac:fe interface ge-0/0/5
  • Configure a supplicant to be moved to a specific VLAN after it is authenticated:

    [edit protocols dot1x]

    user@switch# set authenticator static 00:04:0f:fd:ac:fe interface ge-0/0/5 vlan-assignment default-vlan

Example: Configuring Static MAC Bypass of 802.1X and MAC RADIUS Authentication on an EX Series Switch

To allow devices to access your LAN through 802.1X-configured interfaces without authentication, you can configure a static MAC bypass list on the EX Series switch. The static MAC bypass list, also known as the exclusion list, specifies MAC addresses that are allowed on the switch without sending a request to an authentication server.

You can use static MAC bypass of authentication to allow connection for devices that are not 802.1X-enabled, such as printers. If a host's MAC address is compared and matched against the static MAC address list, the nonresponsive host is authenticated and an interface opened for it.

This example describes how to configure static MAC bypass of authentication for two printers:

Requirements

This example uses the following software and hardware components:

Note

This example also applies to QFX5100 switches.

  • Junos OS Release 9.0 or later for EX Series switches

  • One EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.

Before you configure static MAC bypass of authentication, be sure you have:

Overview and Topology

To permit printers access to the LAN, add them to the static MAC bypass list. The MAC addresses on this list are permitted access without authentication from the RADIUS server.

Figure 1 shows the two printers connected to the EX4200.

Note

This figure also applies to QFX5100 switches.

Figure 1: Topology for Static MAC Bypass of Authentication Configuration
Topology for Static MAC Bypass
of Authentication Configuration

The interfaces shown in Table 1 will be configured for static MAC bypass of authentication.

Table 1: Components of the Static MAC Bypass of Authentication Configuration Topology

PropertySettings

Switch hardware

EX4200, 24 Gigabit Ethernet ports: 16 non-PoE ports and 8 PoE ports (ge-0/0/0 through ge-0/0/23)

VLAN name

default

Connections to integrated printer/fax/copier machines (no PoE required)

ge-0/0/19, MAC address 00:04:0f:fd:ac:fe

ge-0/0/20, MAC address 00:04:ae:cd:23:5f

The printer with the MAC address 00:04:0f:fd:ac:fe is connected to access interface ge-0/0/19. A second printer with the MAC address 00:04:ae:cd:23:5f is connected to access interface ge-0/0/20. Both printers will be added to the static list and bypass 802.1X authentication.

Configuration

CLI Quick Configuration

To quickly configure the static MAC bypass list, copy the following commands and paste them into the switch terminal window:

[edit]



set protocols dot1x authenticator static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]

set protocols dot1x authenticator interface all supplicant multiple

set protocols dot1x authenticator authenticaton-profile-name profile1

Step-by-Step Procedure

Configure the static MAC bypass list:

  1. Configure MAC addresses 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f as static MAC addresses:
    [edit protocols]

    user@switch# set dot1x authenticator static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]

  2. Configure the 802.1X authentication method:
    [edit protocols]

    user@switch# set dot1x authenticator interface all supplicant multiple
  3. Configure the authentication profile name (access profile name) to use for authentication:
    [edit protocols]

    user@switch# set dot1x authenticator authentication-profile-name profile1

    Note

    Access profile configuration is required only for 802.1X clients, not for static MAC clients.

Results

Display the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Static MAC Bypass of Authentication

Purpose

Verify that the MAC addresses of both printers are configured and associated with the correct interfaces.

Action

Issue the operational mode command:

Meaning

The output field MAC address shows the MAC addresses of the two printers.

The output field Interface shows that the MAC address 00:04:0f:fd:ac:fe can connect to the LAN through interface ge-0/0/19.0 and that the MAC address 00:04:ae:cd:23:5f can connect to the LAN through interface ge-0/0/20.0.