Cisco ASA 5505 Configuration Manual page 715

Chapter 33 Configuring AAA Rules for Network Access
The order of entries matters, because the packet uses the first entry it matches, as opposed to a best match
scenario. If you have a permit entry, and you want to deny an address that is allowed by the permit entry,
be sure to enter the deny entry before the permit entry.
To use MAC addresses to exempt traffic from authentication and authorization, perform the following
steps:
From the Configuration > Firewall > AAA Rules pane, choose Add > Add MAC Exempt Rule.
Step 13
The Add MAC Exempt Rule dialog box appears.
From the Action drop-down list, click one of the following, depending on the implementation:
Step 14
• MAC Exempt
• No MAC Exempt
The MAC Exempt option allows traffic from the MAC address without having to authenticate or
authorize. The No MAC Exempt option specifies a MAC address that is not exempt from authentication
or authorization. You might need to add a deny entry if you permit a range of MAC addresses using a
MAC address mask such as ffff.ffff.0000, and you want to force a MAC address in that range to be
authenticated and authorized.
In the MAC Address field, specify the source MAC address in 12-digit hexadecimal form; that is,
Step 15
nnnn.nnnn.nnnn.
In the MAC Mask field, specify the portion of the MAC address that should be used for matching. For
Step 16
example, ffff.ffff.ffff matches the MAC address exactly. ffff.ffff.0000 matches only the first 8 digits.
Click OK.
Step 17
The dialog box closes and the rule appears in the AAA Rules table.
Click Apply.
Step 18
The changes are saved to the running configuration.
OL-20339-01
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
Cisco ASA 5500 Series Configuration Guide using ASDM
33-17