Example: Configuring Static MAC Bypass of Authentication on an MX Series Router
Starting with Junos OS Release 14.2, to allow devices to access your LAN through 802.1X-configured interfaces without authentication, you can configure a static MAC bypass list on the MX Series router.The static MAC bypass list, also known as the exclusion list, specifies MAC addresses that are allowed on the router without a request to an authentication server.
You can use static MAC bypass of authentication to allow connection for devices that are not 802.1X-enabled, such as printers. If a host's MAC address is compared and matched against the static MAC address list, the nonresponsive host is authenticated and an interface opened for it.
This example describes how to configure static MAC bypass of authentication for two printers:
Requirements
This example uses the following hardware and software components:
Junos OS Release 14.2 or later for MX240, MX480, or MX960 routers running in enhanced LAN mode.
One router acting as an authenticator port access entity (PAE). The ports on the authenticator PAE form a control gate that blocks all traffic to and from supplicants until they are authenticated.
Before you connect the server to the router, be sure you have:
Configured enhanced LAN mode on the router.
Performed basic bridging and VLAN configuration on the router.
Configured users on the RADIUS authentication server.
Overview and Topology
To permit printers access to the LAN, add them to the static MAC bypass list. The MAC addresses on this list are permitted access without authentication from the RADIUS server.
Consider an MX Series router that functions as an authenticator port. It is connected using the interface, ge-0/0/10, over the IP network to a RADIUS server. The router is also linked to a conference room using the interface, ge-0/0/1, to a printer using the interface, ge-0/0/20, to a hub using the interface, ge-0/0/8, and to two supplicants or clients over interfaces, ge-0/0/2 and ge-0/0/9 respectively.
The interfaces shown in Table 1 will be configured for static MAC authentication.
| Property | Settings |
|---|---|
Router hardware |
MX Series router |
VLAN name |
default |
Connections to integrated printer/fax/copier machines (no PoE required) |
ge-0/0/19, MAC address 00:04:0f:fd:ac:fe ge-0/0/20, MAC address 00:04:ae:cd:23:5f |
The printer with the MAC address 00:04:0f:fd:ac:fe is connected to access interface ge-0/0/19. A second printer with the MAC address 00:04:ae:cd:23:5f is connected to access interface ge-0/0/20. Both printers will be added to the static list and bypass 802.1X authentication.
Topology
Configuration
Procedure
CLI Quick Configuration
To quickly configure static MAC authentication, copy the following commands and paste them into the router terminal window:
[edit] set protocols authentication-access-control static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f] set protocols authentication-access-control interface all supplicant multiple set protocols authentication-access-control authenticaton-profile-name profile1
Step-by-Step Procedure
Configure static MAC authentication:
Configure MAC addresses 00:04:0f:fd:ac:fe and 00:04:ae:cd:23:5f as static MAC addresses:
[edit protocols] user@router# set authentication-access-control static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f]
Configure the 802.1X authentication method:
[edit protocols] user@router# set authentication-access-control interface all supplicant multiple
Configure the authentication profile name (access profile name) to use for authentication:
[edit protocols] user@router# set authentication-access-control authentication-profile-name profile1
Note:Access profile configuration is required only for 802.1X clients, not for static MAC clients.
Results
Display the results of the configuration:
user@router> show
interfaces {
ge-0/0/19 {
unit 0 {
family bridge {
vlan-id 10;
}
}
}
ge-0/0/20 {
unit 0 {
family bridge {
vlan-id 10;
}
}
}
}
protocols {
authentication-access-control {
authentication-profile-name profile1;
static [00:04:0f:fd:ac:fe 00:04:ae:cd:23:5f];
interface {
all {
supplicant multiple;
}
}
}
}
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying Static MAC Bypass of Authentication
Purpose
Verify that the MAC address for both printers is configured and associated with the correct interfaces.
Action
Use the operational mode command:
user@switch> show dot1x static-mac-address MAC address VLAN-Assignment Interface 00:04:0f:fd:ac:fe default ge-0/0/19.0 00:04:ae:cd:23:5f default ge-0/0/20.0
Meaning
The output field MAC address shows the MAC addresses of the two printers.
The output field Interface shows that the MAC address 00:04:0f:fd:ac:fe can connect to the LAN through interface ge-0/0/19.0 and that the MAC address 00:04:ae:cd:23:5f can connect to the LAN through interface ge-0/0/20.0.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.