Using Mac Addresses To Exempt Traffic From Authentication And Authorization - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
hostname(config)# aaa-server AuthOutbound protocol tacacs+
hostname(config-aaa-server-group)# exit
hostname(config)# aaa-server AuthOutbound (inside) host 10.1.1.1
hostname(config-aaa-server-host)# key TACPlusUauthKey
hostname(config-aaa-server-host)# exit
hostname(config)# access-list TELNET_AUTH extended permit tcp any any eq telnet
hostname(config)# access-list SERVER_AUTH extended permit tcp any host 209.165.201.5 eq
telnet
hostname(config)# aaa authentication match TELNET_AUTH inside AuthOutbound
hostname(config)# aaa authorization match SERVER_AUTH inside AuthOutbound
hostname(config)# aaa accounting match SERVER_AUTH inside AuthOutbound
Using MAC Addresses to Exempt Traffic from Authentication
and Authorization
The FWSM can exempt traffic from specific MAC addresses from being authenticated or authorized.
This feature is particularly useful to exempt devices such as IP phones that cannot respond to
authentication prompts.
This feature exempts the list of MAC addresses for through-the-box connections only. For connections
Note
like Telnet to the FWSM, the authentication or authorization is not exempted even if the MAC address
of the device is specified.
To identify MAC addresses for exemption, perform the following steps:
To configure a MAC list, enter the following command:
Step 1
hostname(config)# mac-list id {deny | permit} mac macmask
Where the id argument is the hexadecimal number that you assign to the MAC list.
To exempt a MAC address, use the permit keyword. To allow a MAC address to be authenticated and
authorized, use the deny keyword.
To group a set of MAC addresses, enter the mac-list command as many times as needed with the same
ID value. Because you can only use one MAC list for AAA exemption, be sure that your MAC list
includes all the MAC addresses you want to exempt. You can create multiple MAC lists, but you can only
use one at a time.
The order of entries matters, because the packet uses the first entry it matches, as opposed to a best match
scenario. If you have a permit entry, and you want to deny an address that is allowed by the permit entry,
be sure to enter the deny entry before the permit entry.
The mac argument specifies the source MAC address in 12-digit hexadecimal form; that is,
nnnn.nnnn.nnnn.
The macmask argument specifies the portion of the MAC address that should be used for matching. For
example, ffff.ffff.ffff matches the MAC address exactly. ffff.ffff.0000 matches only the first 8 digits.
To exempt traffic for the MAC addresses specified in a particular MAC list, enter the following
Step 2
command:
hostname(config)# aaa mac-exempt match id
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
17-14
Chapter 17
Applying AAA for Network Access
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
