Configuring MAC RADIUS Authentication (CLI Procedure)
You can permit devices that are not 802.1X-enabled (nonresponsive hosts) LAN access by configuring MAC RADIUS authentication on the switch interfaces to which the nonresponsive hosts are connected.
When the MAC address of a nonresponsive host appears on the interface, the switch consults the RADIUS server to check whether the MAC address is a permitted MAC address. If the MAC address of the nonresponsive host is configured as permitted on the RADIUS server, the RADIUS server lets the switch know that the MAC address is a permitted address, and the switch opens LAN access to the nonresponsive host on the interface to which it is connected.
Before you configure MAC RADIUS authentication, be sure you have:
- Configured basic access between the EX-series switch and the RADIUS server. See Example: Connecting a RADIUS Server for 802.1X to an EX-series Switch.
- Configured 802.1X authentication on the switch. See Configuring 802.1X Authentication (CLI Procedure) or Configuring 802.1X Authentication (J-Web Procedure).
To configure MAC RADIUS authentication using the CLI:
- On the switch, configure the interfaces to which the nonresponsive
hosts are attached for MAC RADIUS authentication, and add the restrict qualifier for interface ge-0/0/20 to have
it use only MAC RADIUS authentication:
[edit]
user@switch# set protocols dot1x authenticator interface ge-0/0/19 mac-radius
user@switch# set protocols dot1x authenticator interface ge-0/0/20 mac-radius restrict - On a RADIUS authentication server, create user profiles
for each nonresponsive host using the MAC address (without colons)
of the nonresponsive host as the username and password (here, the
MAC addresses are 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f):
[root@freeradius]#
edit /etc/raddb
vi users
00040ffdacfe Auth-type:=Local, User-Password = "00040ffdacfe"
0004aecd235f Auth-type:=Local, User-Password = "0004aecd235f"