Configuring Flexible authentication on an interface

The following steps configure Flexible authentication at the interface level.

Note: Configuration at the interface level overrides related configuration at the global level. The global configuration is still applicable to other ports that do not have a per-port configuration. Refer to Configuring Flexible authentication globally for more information.
  1. Enter the configure terminal command to enter global configuration mode.
    device# configure terminal
  2. Enter the interface ethernet command to enter interface configuration mode.
    device(config)# interface ethernet 1/1/1
  3. (Optional) Enter the authentication auth-order mac-auth dot1x command to change the sequence of authentication to MAC authentication followed by 802.1X authentication if required.
    device(config-if-e1000-1/1/1)# authentication auth-order mac-auth dot1x
  4. Enter the authentication auth-default-vlan command to configure the authentication default VLAN (auth-default VLAN).
    device(config-if-e1000-1/1/1)# authentication auth-default-vlan 30
  5. (Optional) Enter the authentication auth-mode command to enable the multiple untagged mode on a specific Flexible authentication-enabled port and allow it to be a member of multiple untagged VLANs.
    device(config-if-e1000-1/1/1)# authentication auth-mode multiple-untagged
  6. (Optional) Enter the authentication disable-aging permitted-mac-only or the authentication disable-aging denied-mac-only command to prevent the permitted or denied MAC sessions from being aged out from a port.
    device(config-if-e1000-1/1/1)# authentication disable-aging permitted-mac-only
  7. (Optional) Enter the authentication max-sessions command to specify the maximum limit of authenticated MAC sessions on an interface.
    device(config-if-e1000-1/1/1)# authentication max-sessions 32
  8. (Optional) Enter the authentication dos-protection command to enable Denial of Service (DoS) authentication protection on an interface.
    device(config-if-e1000-1/1/1)# authentication dos-protection mac-limit 256
    Note: You can also configure the RUCKUS ICX device to limit the rate of authentication attempts sent to the RADIUS server.
  9. (Optional) Enter the authentication source-guard-protection command to enable IP Source Guard Protection along with authentication on an interface.
    device(config-if-e1000-1/1/1)# authentication source-guard-protection enable
  10. (Optional) Specify the voice VLAN to be used to add the port as tagged in the voice VLAN when it is not provided by the RADIUS server and when the clients are non-authenticated for various reasons, such as auth-failure and auth-timeout.
    device(config-if-e1000-1/1/1)# authentication voice-vlan 300
  11. (Optional) Allow tagged packet processing when the port is not tagged, which may be the case when multiple VMs are connected to the port so that they can be authenticated with MAC authentication, and automatic tagging of the port helps. This option is disabled by default.
    device(config-if-e1000-1/1/1)# authentication allow-tagged
  12. (Optional) Enter the auth-filter command to apply the specified filter on the interface so that the MAC addresses defined in the filter (MAC filter) need not go through authentication.
    device(config-if-e1000-1/1/1)# authentication auth-filter 2 4
    The source MAC addresses defined using the mac-filter command are considered pre-authenticated and are not subject to authentication. A client can be authenticated in an untagged VLAN or tagged VLAN using the MAC address filter. If the authentication filter has a tagged VLAN configuration, the clients are authenticated in the auth-default VLAN and the tagged VLAN provided in the auth-filter. The clients authorized in the auth-default VLAN allow both untagged and tagged traffic. The auth-filter is defined using the mac-filter command.