The static MAC list provides an authentication bypass mechanism for clients connecting to a 802.1x enabled port. The MAC address of the client is checked in the local database, if a match is found, the client is assumed to be successfully authenticated and the port is opened for the client. No further authentication is necessary. If the match is not found, 802.1x authentication is initiated. The VLAN that the client should be moved to or the interfaces on which the MAC addresses should be allowed can be configured. This will enable devices like printers, which do not support 802.1x to be connected to 802.1x enabled ports.
Below is a configuration example for setting up MAC static list for bypassing 802.1x authentication.
The desired goal: When device with MAC
00:0a:0b:0c:0d:0e
is connected to port ge-0/0/10, the device will bypass 802.1x authentication and port ge-0/0/10 will be assigned to VLAN 'support'
Known Considerations: - The EX-series Ethernet switch is installed and initial configuration has been performed
- VLAN 'support' has been created
- 802.1x authentication will be enabled for interfaces ge-0/0/10.0, ge-0/0/11.0, ge-0/0/12.0
- The device with MAC
00:0a:0b:0c:0d:0e
will be connected to interface ge-0/0/10 - ge-0/0/10.0 is currently provisioned to be in VLAN 'default'
Configuration: - 802.1x authentication is enabled for interfaces ge-0/0/10.0 , ge-0/0/11.0, ge-0/0/12.0:
user@switch# set protocols dot1x authenticator interface ge-0/0/10.0
user@switch# set protocols dot1x authenticator interface ge-0/0/11.0
user@switch# set protocols dot1x authenticator interface ge-0/0/12.0
- Set up MAC static List. A MAC address to VLAN assignment is created here:
user@switch# set protocols dot1x authenticator static 00:0a:0b:0c:0d:0e vlan-assignment support
user@switch# commit
This completes the configuration.
NOTE: In the example above, the MAC
00:0a:0b:0c:0d:0e
is allowed on any interface on the switch. When device with MAC 00:0a:0b:0c:0d:0e is connected to any interface on the switch and traffic is initiated from it, it will bypass 802.1x authentication and the interface will be assigned to the configured VLAN; provided that the interface has 802.1x enabled on it.
NOTE: It is possible to configure the interfaces on which MAC
00:0a:0b:0c:0d:0e
will be allowed. This can be done in the following manner:
user@switch#set protocols dot1x authenticator static 00:0a:0b:0c:0d:0e vlan-assignment support interface ge-0/0/10.0
Verification: - Execute the following operational mode command:
user@switch> show vlans
Name Tag Interfaces
finance 400
ge-0/0/37.0
default
ge-0/0/0.0, ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0,
ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0,
ge-0/0/8.0, ge-0/0/9.0, ge-0/0/10.0, ge-0/0/11.0,
ge-0/0/12.0, ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0,
ge-0/0/16.0, ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0,
ge-0/0/20.0, ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0,
ge-0/0/24.0, ge-0/0/25.0, ge-0/0/26.0, ge-0/0/27.0,
ge-0/0/28.0, ge-0/0/29.0, ge-0/0/30.0, ge-0/0/31.0,
ge-0/0/32.0, ge-0/0/33.0, ge-0/0/34.0, ge-0/0/35.0,
ge-0/0/39.0, ge-0/0/40.0, ge-0/0/41.0, ge-0/0/42.0,
ge-0/0/43.0, ge-0/1/0.0, ge-0/1/1.0, ge-0/1/2.0,
ge-0/1/3.0
support 200
ge-0/0/36.0*, ge-0/0/38.0*
This display shows that ge-0/0/10.0 is currently assigned to VLAN 'default'
- Connect the device with MAC
00:0a:0b:0c:0d:0e
to interface ge-0/0/10 and initiate traffic from the device
- Execute the following operational mode command:
user@switch> show vlans
Name Tag Interfaces
finance 400
ge-0/0/37.0
default
ge-0/0/0.0, ge-0/0/1.0, ge-0/0/2.0, ge-0/0/3.0,
ge-0/0/4.0, ge-0/0/5.0, ge-0/0/6.0, ge-0/0/7.0,
ge-0/0/8.0, ge-0/0/9.0, ge-0/0/11.0, ge-0/0/12.0,
ge-0/0/13.0, ge-0/0/14.0, ge-0/0/15.0, ge-0/0/16.0,
ge-0/0/17.0, ge-0/0/18.0, ge-0/0/19.0, ge-0/0/20.0,
ge-0/0/21.0, ge-0/0/22.0, ge-0/0/23.0, ge-0/0/24.0,
ge-0/0/25.0, ge-0/0/26.0, ge-0/0/27.0, ge-0/0/28.0,
ge-0/0/29.0, ge-0/0/30.0, ge-0/0/31.0, ge-0/0/32.0,
ge-0/0/33.0, ge-0/0/34.0, ge-0/0/35.0, ge-0/0/39.0,
ge-0/0/40.0, ge-0/0/41.0, ge-0/0/42.0, ge-0/0/43.0,
ge-0/1/0.0, ge-0/1/1.0, ge-0/1/2.0, ge-0/1/3.0
support 200
ge-0/0/10.0*, ge-0/0/36.0*, ge-0/0/38.0*
This display shows interface ge-0/0/10.0 is now assigned to VLAN 'support'. The device with MAC 00:0a:0b:0c:0d:0e
has bypassed 802.1x authentication.
- Execute the following command to view the MAC Static List:
user@switch> show dot1x static-mac-address
MAC address VLAN-Assignment Interface
00:0a:0b:0c:0d:0e support