Control access to LAN via Radius

Unanswered Question
Jul 17th, 2007

Is it possible use radius to control access of devices to network by using their mac addresses to authenticate to a cisco swich port via radius and assign the vlan to the port via the radius too ?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
moabdallah Tue, 07/17/2007 - 13:41


I don't want to authenticate with username and password

Only to check the mac address and assign the VLAN according to the MAC address of the device



stephen.stack Wed, 07/18/2007 - 08:40


I just completed this very setup just last week. You can use dot1x with Mac Auth Bypass.

See here...

My Config was as follows;

On the RADIUS server configure both the username and password as the PC/Laptop MAC address.

Also on the RADIUS server configure these options... i used Cisco ACS RADIUS Server.

?Tunnel-Type = VLAN

?Tunnel-Medium-Type = 802

?Tunnel-Private-Group-ID = (VLANNumber)

Now globally on the switch configure this;


aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius


dot1x system-auth-control


radius-server host auth-port 1645 acct-port 1646 key cisco

radius-server source-ports 1645-1646

radius-server deadtime 1


And on the interfaces configure this;


interface FastEthernet 0/1

switchport mode access

switchport nonegotiate

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 2

dot1x timeout tx-period 2

dot1x max-reauth-req 1

spanning-tree portfast


Yoy may notice that i have changed the dot1x timeouts. My reason was that dot1x was taking too long to authorize the MAC address and then bring up the port (about 40 -60 seconds) (I am open to correction on this as i was only testing it last week :) ).

By reducing the dot1x timeouts the MAC was authorised and the port was brought up quicker.

I hope this helps

Please rate if it does.



moabdallah Wed, 07/18/2007 - 12:34


I don't want the PC/laptop to prompt for username and password

Only MAC address authentication without enter any username and password

Can I dod this via Mac authentication bypass feature ?



stephen.stack Wed, 07/18/2007 - 13:22

Of Course :)

The MAC-Auth-Bypass will not prompt for username and password. The auth process is completely transparent to the end user. However, there is one thing to remember, If dot1x is enabled on the client i.e. Windows XP dot1x, then xp will try to authorize against dot1x and it will look for a certificate also. You must turn off dot1x on your client PCs for this to work properly..... no problem though :)




This Discussion