Console(config-if)#network-access mode mac-authentication
Use this command to enable the specified MAC address filter. Use the no form of
this command to disable the specified MAC address filter.
When enabled on a port, the authentication process sends a Password
Authentication Protocol (PAP) request to a configured RADIUS server. The user
name and password are both equal to the MAC address being authenticated.
On the RADIUS server, PAP user name and passwords must be configured in the
MAC address format XX-XX-XX-XX-XX-XX (all in upper case).
Authenticated MAC addresses are stored as dynamic entries in the switch
secure MAC address table and are removed when the aging time expires. The
maximum number of secure MAC addresses supported for the switch system is
Configured static MAC addresses are added to the secure address table when
seen on a switch port. Static addresses are treated as authenticated without
sending a request to a RADIUS server.
MAC authentication, 802.1X, and port security cannot be configured together
on the same port. Only one security mechanism can be applied.
MAC authentication cannot be configured on trunk ports.
When port status changes to down, all MAC addresses are cleared from the
secure MAC address table. Static VLAN assignments are not restored.
The RADIUS server may optionally return a VLAN identifier list. VLAN identifier
list is carried in the "Tunnel-Private-Group-ID" attribute. The VLAN list can
contain multiple VLAN identifiers in the format "1u,2t, " where "u" indicates
untagged VLAN and "t" tagged VLAN. The "Tunnel-Type" attribute should be
set to "VLAN, " and the "Tunnel-Medium-Type" attribute set to "802. "
network-access port-mac-filter filter-id
no network-access port-mac-filter
filter-id - Specifies a MAC address filter table. (Range: 1-64)
– 231 –
| General Security Measures
Network Access (MAC Address Authentication)