Enabling MAC authentication

The following steps enable MAC authentication and include certain Flexible authentication configurations specific to MAC authentication.

  1. Enter the configure terminal command to enter global configuration mode.
    device# configure terminal
  2. Enter the authentication command to enter authentication mode.
    device(config)# authentication
  3. Enter the mac-authentication enable command to enable MAC authentication.
    device(config-authen)# mac-authentication enable
  4. Enter the mac-authentication enable { all | ethernet stack/slot/pot } command to enable MAC authentication on all interfaces or a specific interface.
    device(config-authen)# mac-authentication enable all
  5. (Optional) Enter the mac-authentication password-format command to configure the format in which the MAC address is sent to the RADIUS server for authentication.
    By default, the MAC address is sent to the RADIUS server in the xxxxxxxxxxxx format in lowercase. As an option, you can change the address to uppercase. You can specify one of the following formats:
    • xx-xx-xx-xx-xx-xx
    • xx:xx:xx:xx:xx:xx
    • xxxx.xxxx.xxxx
    • xxxxxxxxxxxx
    device(config-authen)# mac-authentication password-format xx-xx-xx-xx-xx-xx upper-case
  6. (Optional) Enter the mac-authentication password-override command to specify a user-defined password instead of the MAC address for MAC authentication.
    Note: The password can contain up to 32 alphanumeric characters but must not include blank spaces.
    device(config-authen)# mac-authentication password-override ts54fs
  7. (Optional) Enter the mac-authentication dot1x-disable command to configure the device not to perform 802.1X authentication after MAC authentication when MAC authentication succeeds for the client. This is enabled by default, unless overruled by the RADIUS server through a dot1x-enable attribute.
    Note: This command is applicable only when the authentication sequence is configured as MAC authentication followed by 802.1X authentication.
    device(config-authen)# mac-authentication dot1x-disable
  8. (Optional) Enter the mac-authentication dot1x-override command to configure the device to perform802.1X authentication after MAC authentication, if MAC authentication fails for the client.
    Note: This command is applicable only when the authentication sequence is configured as MAC authentication followed by 802.1X authentication.
    device(config-authen)# mac-authentication dot1x-override