Understanding 802.1X MAC RADIUS Authentication on EX-series Switches
Enterprise LANs support many different types of devices. Along with 802.1X-enabled devices, non-802.1X- enabled devices, such as access control readers for buildings, printers, and HVAC systems, must have reliable access to the LAN. These non-802.1X-enabled endpoints are known as nonresponsive hosts.
To permit nonresponsive hosts access to the LAN, you can configure MAC RADIUS authentication on the interfaces to which the nonresponsive hosts are connected. When the MAC address of a nonresponsive host appears on the interface, the switch consults the RADIUS server to check whether the MAC address is a permitted MAC address. If the MAC address of the nonresponsive host is configured as permitted on the RADIUS server, the RADIUS server lets the switch know that the MAC address is a permitted address, and the switch opens LAN access to the nonresponsive host on the interface to which it is connected.
When you configure MAC RADIUS authentication, you can also eliminate the normal 90-second delay it takes for the switch to determine that a connected device is a nonresponsive host. When you configure an interface to eliminate this delay, the switch drops all 802.1X packets. This option is useful when no other 802.1X authentication methods, such as guest VLAN, are needed on the interface.
Figure 1 shows the authentication process for a nonresponsive host configured for MAC RADIUS authentication.
Figure 1: Process Flowchart for Nonresponsive Host Requests
Nonresponsive hosts can also gain access to the LAN using static MAC as a bypass mechanism for 802.1X authentication. See Understanding 802.1X Static MAC on EX-series Switches for more information about a static MAC configuration.