[an error occurred while processing this directive] [an error occurred while processing this directive]

Configuring MAC RADIUS Authentication (CLI Procedure)

You can permit devices that are not 802.1X-enabled LAN access by configuring MAC RADIUS authentication on the EX Series switch interfaces to which the hosts are connected.

Note: You can also allow non-802.1X-enabled devices to access the LAN by configuring their MAC address for static MAC bypass of authentication.

You can configure MAC RADIUS authentication on an interface that also allows 802.1X authentication, or you can configure either authentication method alone.

If both MAC RADIUS and 802.1X authentication are enabled on the interface, the switch first sends the host three EAPOL requests to the host. If there is no response from the host, the switch sends the host’s MAC address to the RADIUS server to check whether it is a permitted MAC address. If the MAC address is configured as permitted on the RADIUS server, the RADIUS server sends a message to the switch that the MAC address is a permitted address, and the switch opens LAN access to the nonresponsive host on the interface to which it is connected.

If MAC RADIUS authentication is configured on the interface but 802.1X authentication is not (by using the mac-radius restrict option), the switch attempts to authenticate the MAC address with the RADIUS server without delaying by attempting 802.1X authentication first.

Before you configure MAC RADIUS authentication, be sure you have:

To configure MAC RADIUS authentication using the CLI:

  • On the switch, configure the interfaces to which the nonresponsive hosts are attached for MAC RADIUS authentication, and add the restrict qualifier for interface ge-0/0/20 to have it use only MAC RADIUS authentication:

    user@switch# set protocols dot1x authenticator interface ge-0/0/19 mac-radius
    user@switch# set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict
  • On a RADIUS authentication server, create user profiles for each nonresponsive host using the MAC address (without colons) of the nonresponsive host as the username and password (here, the MAC addresses are 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f):

    edit /etc/raddb
    vi users
    00040ffdacfe Auth-type:=Local, User-Password = "00040ffdacfe"
    0004aecd235f Auth-type:=Local, User-Password = "0004aecd235f"

    Published: 2009-07-21

    [an error occurred while processing this directive]