Static MAC Bypass of 802.1X and MAC RADIUS Authentication
Junos OS allows you to configure access to your LAN through 802.1X-configured interfaces without authentication, by configuring a static MAC bypass list on the EX Series switch. The static MAC bypass list, also known as the exclusion list, specifies MAC addresses that are allowed on the switch without sending a request to an authentication server. For more information, read this topic.
If you add a static MAC address entry to the Ethernet switching table, this has the same effect as adding a MAC address to the static MAC bypass list. For information on configuring static MAC address entries see MAC Addresses.
Configuring Static MAC Bypass of 802.1X and MAC RADIUS Authentication (CLI Procedure)
You can configure a static MAC bypass list (sometimes called the exclusion list) on the switch to specify MAC addresses of devices allowed access to the LAN without 802.1X or MAC RADIUS authentication requests to the RADIUS server.
To configure the static MAC bypass list:
Specify a MAC address to bypass authentication:
[edit protocols dot1x] user@switch# set authenticator static 00:04:0f:fd:ac:fe
Configure a supplicant to bypass authentication if it is connected through a particular interface:
[edit protocols dot1x] user@switch# set authenticator static 00:04:0f:fd:ac:fe interface ge-0/0/5
Configure a supplicant to be moved to a specific VLAN after it is authenticated:
[edit protocols dot1x] user@switch# set authenticator static 00:04:0f:fd:ac:fe interface ge-0/0/5 vlan-assignment default-vlan
See Also
Example: Configuring Static MAC Bypass of 802.1X and MAC RADIUS Authentication on an EX Series Switch
To allow devices to access your LAN through 802.1X-configured interfaces without authentication, you can configure a static MAC bypass list on the EX Series switch. The static MAC bypass list, also known as the exclusion list, specifies MAC addresses that are allowed on the switch without sending a request to an authentication server.
You can use static MAC bypass of authentication to allow connection for devices that are not 802.1X-enabled, such as printers. If a host's MAC address is compared and matched against the static MAC address list, the nonresponsive host is authenticated and an interface opened for it.
This example describes how to configure static MAC bypass of authentication for two printers:
Requirements
This example uses the following software and hardware components:
This example also applies to QFX5100 switches.
Junos OS Release 9.0 or later for EX Series switches
One EX Series switch acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
Before you configure static MAC bypass of authentication, be sure you have:
Performed basic bridging and VLAN configuration on the switch. See the documentation that describes setting up basic bridging and a VLAN for your switch. If you are using a switch that supports the Enhanced Layer 2 Software (ELS) configuration style, see Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch with ELS Support or Example: Setting Up Basic Bridging and a VLAN on Switches. For all other switches, see Example: Setting Up Basic Bridging and a VLAN for an EX Series Switch.
For more about ELS, see: Using the Enhanced Layer 2 Software CLI.
Specified the RADIUS server connections and configured an access profile on the switch. See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.
Overview and Topology
To permit printers access to the LAN, add them to the static MAC bypass list. The MAC addresses on this list are permitted access without authentication from the RADIUS server.
Figure 1 shows the two printers connected to the EX4200.
This figure also applies to QFX5100 switches.
The interfaces shown in Table 1 will be configured for static MAC bypass of authentication.
| Property | Settings |
|---|---|
Switch hardware |
EX4200, 24 Gigabit Ethernet ports: 16 non-PoE ports and
8 PoE ports ( |
VLAN name |
|
Connections to integrated printer/fax/copier machines (no PoE required) |
|
The printer with the MAC address 00:04:0f:fd:ac:fe is connected
to access interface ge-0/0/19. A second printer with the
MAC address 00:04:ae:cd:23:5f is connected to access interface ge-0/0/20. Both printers will be added to the static list and
bypass 802.1X authentication.
Topology
Configuration
Procedure
CLI Quick Configuration
To quickly configure the static MAC bypass list, copy the following commands and paste them into the switch terminal window:
[edit] set protocols dot1x authenticator static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f] set protocols dot1x authenticator interface all supplicant multiple set protocols dot1x authenticator authenticaton-profile-name profile1
Step-by-Step Procedure
Configure the static MAC bypass list:
Configure MAC addresses
00:04:0f:fd:ac:feand00:04:ae:cd:23:5fas static MAC addresses:[edit protocols] user@switch# set dot1x authenticator static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]
Configure the 802.1X authentication method:
[edit protocols] user@switch# set dot1x authenticator interface all supplicant multiple
Configure the authentication profile name (access profile name) to use for authentication:
[edit protocols] user@switch# set dot1x authenticator authentication-profile-name profile1
Note:Access profile configuration is required only for 802.1X clients, not for static MAC clients.
Results
Display the results of the configuration:
user@switch> show
interfaces {
ge-0/0/19 {
unit 0 {
family ethernet-switching {
vlan members default;
}
}
}
ge-0/0/20 {
unit 0 {
family ethernet-switching {
vlan members default;
}
}
}
}
protocols {
dot1x {
authenticator {
authentication-profile-name profile1
static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f];
interface {
all {
supplicant multiple;
}
}
}
}
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying Static MAC Bypass of Authentication
Purpose
Verify that the MAC addresses of both printers are configured and associated with the correct interfaces.
Action
Issue the operational mode command:
user@switch> show dot1x static-mac-address MAC address VLAN-Assignment Interface 00:04:0f:fd:ac:fe default ge-0/0/19.0 00:04:ae:cd:23:5f default ge-0/0/20.0
Meaning
The output field MAC address shows the MAC addresses of the two printers.
The output field Interface shows
that the MAC address 00:04:0f:fd:ac:fe can connect to the LAN through interface ge-0/0/19.0 and that the MAC address 00:04:ae:cd:23:5f can connect to the LAN through interface ge-0/0/20.0.