MAC based Authentication on ACS

Unanswered Question
Jan 25th, 2008

Hello everyone,

I am trying to get ACS to do MAC based authentication where upon client connection the switch forward the MAC address of the client to ACS to either authorize or unauthorize the port. I need to do this in an agentless fashion as most of the devices are not Windows based. Problems

1) Where to put the MAC addrtss in ACS. I am getting told 2 different things. One way is the create a user with the MAC address as the username AND password, have ACS reference the internal datyabase and I should be good the second way I am being told is with Network Access Profiles. Create a profile then under Athentication", enter the MAC address under Internal ACS DB.

SO far both was are still making the Windows based machines prompt for a user name and password. I can't have that. It has to be transparent to the end user. Can any point me in the right direction?

Thanks in advance! All replies rated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Jagdeep Gambhir Fri, 01/25/2008 - 10:48

You can go through MAC Auth bypass feature from following link:

12.2(37)SE - "Using IEEE 802.1x Authentication with MAC Authentication Bypass"

Configuring MAC Auth bypass on 12.2(37)SE:

----------Commands Required on Switch--------------

aaa new-model

aaa authentication dot1x default group radius

dot1x system-auth-control

radius-server host

radius-server key

config t


switchport access vlan

dot1x port-control auto

dot1x mac-auth-bypass

dot1x timeout quiet-period 15

dot1x timeout tx-period 3

dot1x reauthentication

Create a AAA Client entry for the switch in ACS from Network configuration section.

And use the Authentication Protocol as RADIUS (Cisco IOS....)

And on ACS create an account for the client as,

Username : 0015c53ae40d

Password : 0015c53ae40d

If the MAC address of the client is 00-15-C5-3A-E4-0D



angel-moon Tue, 01/29/2008 - 21:50

Thanks. I can't get it working. I do have Network Devices Groups configured. DO you have this in your setup? COuld this be causing a problem?

ohanusi2000 Wed, 01/30/2008 - 04:28

either 802.1x client or nac client unistalled or turn of before doing the test


ohanusi2000 Wed, 01/30/2008 - 04:25

just make sure the client is not install or running on th window base client, if you want to use mac anthetication.


acharyr123 Wed, 01/30/2008 - 05:33


I was handling my last project with AP with MAC based authentication. Please do the will definitely work..

1. Create 1 vlan in any of the switches for MAC based authentication purpose. Say the VLAn id is VLAN 900 (IP:

2. In ACS go to "Group Setup".Assign a name say "MAC"

3. Scroll down & go to "IETF RADIUS ATTRIBUTES". Go to Value 64 (Tunnel -Type). Choose Tag 1 & select VLAN from the drill down option.

4. Scroll down & go to "IETF RADIUS ATTRIBUTES". Go to Value 65 (Tunnel-Medium-Type). Choose Tag 1 & select 802 from the drill down option.

5. Scroll down & go to "IETF RADIUS ATTRIBUTES". Go to Value 81 (Tunnel -Type). Choose Tag 1 & write the vlan id no that u created into core/distribution for MAC based authentication purpose (we created VLAN write 900)

6. Now come to "User Setup".

7. Add the MAC address of wireless nic card of one of the laptop/desktop.

8. Click on edit.

9. In real name write the mac address of the wireless nic card of the end user in small letter without any space.

10. In Password Authentication select "ACS Internal Database " from the drill down menu.

11. In password & confirm password value write the mac address of that very registered user that we did in step 7.

12. Select the Group (that we created into step 2) MAC from the drill down menu in "Group to which the user is assigned"

13. Repect step 3,4 & 5 again in "IETF RADIU ATTRIBUTES"

14. In "network configuration" add ACS in AAA server setup & the corresponding AP in AAA client.

15. In AAA server setup provide IP of ACS, give the key, in AAA server type select "CiscoSecure ACS" from the drill down menu.

16. In AAA client setup add the IP of the AP,shared secret (must be same in ACS & AP). I "Authentication Using" option select "Radius-Cisco Aironet" from the drill down option.

17. From "system configuration" go to logging option & enable the reuired log settings so that passed/failed logs u can get.

18. Now go to AP.

19. In Server Manager from "Security" option.

20. Add the ACS server IP & give the shard secret key (it must be same in AP & ACS). Leave authentication & authorization port field default. Apply. Now go down & select the ACS server IP from MAC authentication option.

21. Clink on "Global Properties". Select "Unformatted" from "RADIUS calling/called station id format.

22. Go to "Local Radius Server". Click on "General Setup" click on :MAC" & apply.

23. Now go to "Services" & select "VLAN"

24. Crete the vlan 900 that we created for mac based authentication purpose.

25. Now go to "SSID MANAGER". Click on new & write the desired SSID name. From VLAn field drill down to select the "VLAN 900"

26. Under "Client Authentication Setting" select "With MAC authentication" from open authentication field. Under mac authentication server select the ACS IP from drill down option.

27. Make sure the switch port that is connected with AP is in trunk mode. do the following

" switchport trunk en dot1q"

" switchport truen native vlan 901"--AP ip will be from any ip of the native vlan that is created in core/distribution.

"switchport mode trunk "

27. Make sure from the end switch with whom the AP is connected, the native & MAC vlan ip is pinging.

U r done!!!!

Plz rate if possible!!!!

david-schroeder_2 Fri, 02/15/2008 - 13:46

I am working on a similiar setup but cannot get this to work as you stated. Within my ACS failed authentication log I get ACS password invalid when attempting to authenticate via MAC. I do have the mac entered as the user and the password the same as the user. Any ideas?

Jacob-Harris Wed, 02/20/2008 - 18:13

I'm doing this now for approx 300 mac addys in my MAB table. However i'm not using the username functions. The Network access profile has worked since day one. There were some caveats from the switch side, using voip phones, and a variety of weird issues w/ cisco ATA's and AP's not working w/ dot1x and cdp. Also saw HP printers throwing out some strange mac addresses which caused failures via dot1x's built in single host features. What we ended up doing was to return to the old method of guest access w/ the command "dot1x guest-vlan supplicant" this seemed to help along with the newer code versions. As far as the Network access profile, its quite simple create one. under the authentication tab place your mac address in, be careful here we had a few issues with following specific naming conventions,, we stuck with upper case 00:00:AA:BB:CC:00 type format. And make sure you assign the NAP to drop authenticated macs into the proper NDG. Update if your still having issues. Pretty happy with the overall setup 2000+ eap clients and 300+ MAB over 40+ 4500's.

jafrazie Thu, 02/21/2008 - 11:16


It can be made to work either way. MAC-Auth-Bypass as described in switch documentation explains the use of using MAC as username/password. This should work much the same way WLAN APs have been doing this for years, and as discussed in this thread.

Alternatively, you could configure a NAP to have ACS not authenticate the request at all, but choose to authorize the session solely based on the Calling-Station-ID (RADIUS Attribute [31]) which is also the MAC Address of the end station. This would be a form of MAC filtering that would technically be possible via any RADIUS transaction if it was configured to do so.

Hope this helps,

david-schroeder_2 Thu, 02/21/2008 - 11:33

Does the MAC-Auth-Bypass described in the switch documentation apply when working with an AP? We currently use mac-address checking within the AP but I'm wanting to move that to and ACS server so it is easier to manange when I add additional laptops for access as well as when we add additional APs.

Thanks for the information on MAC-Auth-Bypass.

jafrazie Thu, 02/21/2008 - 14:22

Yes, it's effectively the same. Consult the product documentation for this on APs and the mechanism is the same, but for example on an AP you could fail a MAC-Authentication and still get online with 802.1X, whereas on a single switchport, MAC-auth only attempts after 802.1X times out on the port.

Jacob-Harris Fri, 02/22/2008 - 05:45

Just a caution, had some issues w/ the A.P's and MAC bypass. CDP running on the A.P's seemed to interfere. Same thing happened w/ ATA's.

moabdallah Sun, 02/24/2008 - 03:52


I am trying configure MAC authenitication bypass, snd it is working

but i want to start the MAC authentication without the 802.1x trails

how can I do this ? Is there is any command that enable MAC authentication without the 802.1x ?

My configuration :

interface GigabitEthernet0/48

switchport mode access

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 2

dot1x timeout reauth-period 240

dot1x timeout tx-period 2

dot1x max-reauth-req 1

dot1x reauthentication

spanning-tree portfast



jafrazie Sun, 02/24/2008 - 11:09

Today, MAC-Auth is only avail as a timeout to 1X in support of a supplemental auth method.

moabdallah Mon, 03/03/2008 - 02:19

Thanks for your reply

The MAC authentication is working fine

What if the Raduis Server is down ?

I want to configure if the Raduis is down/don't reply , the PC get assigned to default VLAN ( VLAN 1 ) and can access the network

How can I configure this issue ?

My existing configuration :-

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius


aaa session-id common

interface GigabitEthernet0/48

interface GigabitEthernet0/48

switchport mode access

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 2

dot1x timeout tx-period 1

dot1x max-reauth-req 1

dot1x reauthentication

spanning-tree portfast



jafrazie Mon, 03/03/2008 - 07:30

First recommendation is to provide HA/resiliency to RADIUS. Not sure this is something you'd need to enable by default. Try to use it as fail-safe. If you still need it, see below:

You would need to enable dot1x critical.

Add this to your port:

dot1x critical

dot1x critical vlan

Optionally, if you want to initialize the port once the switch discovers RADIUS is back, add this to the port:

dot1x critical recovery action reinitialize

Also, add a test username at the end of your RADIUS server definition (this allows the switch to actively seek the server while it's in a down state):

radius-server host test username

Also add this for deterministic deployment:

radius-server dead-criteria time 15 tries 3

Hope this helps,


Sorry, I'm obviously a bit late to this conversation. We are looking to deploy 802.1x across our organisation and things look good with our testing so far. However I have a large amount of non-dot1x capable devices which I would like to authenticate based on mac address and a huge amount of switches(such as 2950's) which do not support the mac-auth-bypass command. You mention authenticating by mac address using radius attribute and a NAP on the ACS server - could you give more info? or is this only possible via an AP? I thought 802.1x on a switch never forwarded the mac address if it failed to receive eapol packets(without use of mac-auth-bypass)?

Many thanks



This Discussion