Skip to main content
Viptela is now part of Cisco.
Support
Product Documentation
Viptela Documentation

mac-authentication-bypass

vpn interface dot1x mac-authentication-bypass—Enable authentication for non-802.1X–compliant clients (on vEdge routers only). These clients are authenticated based on their MAC address.

A non-802.1X–compliant client is one that does not respond to EAP identity requests from the vEdge router.

After the 802.1X interface detects a client, it waits to receive an Ethernet packet from the client. Then the router sends a RADIUS access/request frame to the authentication server that includes a username and password based on the MAC address. If authorization succeeds, the router grants the client access to the WAN or WLAN. If authorization fails, the router assigns the interface to the guest VLAN if one is configured.

vManage Feature Template

For vEdge routers only:

Configuration ► Templates ► VPN Interface Ethernet

Command Hierarchy

vpn vpn-id
  interface interface-name
    dot1x
      mac-authentication-bypass
        allow mac-addresses
        server

Options

Enable Authentication for Non-802.1X–Compliant Hosts
mac-authentication-bypass
Turn on authentication for non-802.1X–compliant clients.
Enable Authentication for Specific Devices
allow mac-addresses
Turn on authentication for one or more devices based on their MAC address, as listed in mac-addresses, before performing an authentication check with the RADIUS server. You can configure up to eight MAC addresses for MAC authentication bypass.
Enable Authentication via a RADIUS Server
server
Authenticate non-802.1X–compliant clients using a RADIUS server. This option enables MAC authentication bypass on the RADIUS server.

Example

Enable MAC authentication bypass:

vpn 0
  interface ge0/0
    dot1x
      mac-authentication-bypass

Release Information

Command introduced in Viptela Software Release 16.3.​

Additional Information

radius

  • Was this article helpful?