802.1x authentication with mac address

Unanswered Question
Nov 29th, 2009

Hi guys,

there is a strange requirement from one of our customer,

they want us to do 802.1x with mac address authentication and they dont want the pop-ups which ask

for username, password and domain.

is it possible??

can i avoid popping up the username password with 802.1x and that too with mac address???

Any help would be greatly appreciated



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kush.sri2001 Mon, 11/30/2009 - 20:55


The feature which you are looking for is possible in case of wired 802.1x. This feature is called as the MAC-Auth Bypass and is done mostly if the client machine is not 802.1x capable. However nowerdays it is used even if the machine is 802.1x capable.In this we enter the MAC address of the machine in the user database e.g. Active Directory. When you connect the client machine to the Switch, if we have MAC-Auth Bypass enabled on the port, it would take the MAC address of the machine as the username without any prompt for username and password.

A windows server admin can easily push a group policy which disables the 802.1x on the client machine and it would only respond to the MAC-Auth Bypass.But first you would have to make sure your switch has the Mac-Auth Bypass in the IOS.

For more information, you can go to http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf



jvalin__s Tue, 12/08/2009 - 00:35

So Kush,

is it necessary for me to configure the commands for 802.1x on the port or only macauth bypass??

kush.sri2001 Wed, 12/09/2009 - 21:17


Yes you would have to configure the 802.1x on the switch and on the port.

To enable the 802.1x globally on the switch, enter the command "dot1x system-auth-control"

On the interface type the following commands:

- dot1x port-control auto.

- dot1x mac-auth-bypass.



jvalin__s Thu, 12/10/2009 - 01:29


I got your idea,

but the link which you pasted, in that it is being said that MAB will start only when 802.1x timeouts.

also it wud take 90 seconds for the users to get access.

one more sentence has been written that the port on which a user has been authenticated through mac bypass,

if other user tries to connect on the same port it is considered as security violation.

do you have any idea on this??




This Discussion