9.1.6 How to Configure Authentication Exceptions
This section describes how to configure Web authentication-exempted ports and terminals.
- <Structure of this section>
(1) Configuring Persistent VLAN Authentication-Exception Ports
Use the following procedure to configure a port to be permitted access in fixed VLAN mode without the need for authentication.
- Points to note
-
Do not designate an authentication-exempted port as an authentication port.
Command examples
-
(config)# vlan 10
(config-vlan)# state active
(config-vlan)# exit
(config)# interface gigabitethernet 1/0/4
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# web-authentication port
(config-if)# exit
(config)# interface gigabitethernet 1/0/10
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# exit
Specifies port 1/0/4, which is assigned to VLAN ID 10 in fixed VLAN mode, as an authentication port. This procedure then configures port 1/0/10 to be permitted access without the need for authentication.
(2) Configuring Unauthorized Terminals for Fixed VLAN Mode
Use the following procedure to specify the MAC address of a terminal to be permitted access in fixed VLAN mode without the need for authentication.
- Points to note
-
Register the MAC address of an authentication-exempted terminal in the MAC address table.
Command examples
-
(config)# vlan 10
(config-vlan)# exit
(config)# mac-address-table static 0012.e212.3456 vlan 10 interface gigabitethernet 1/0/10
Specifies the MAC address of a terminal to be permitted access to port 1/0/10 with VLAN ID 10, without the need for authentication.
(3) Configuring Dynamic VLAN Authentication-Exception Ports
Uses the following procedure to configure a port to be permitted access in dynamic VLAN mode without the need for authentication.
- Points to note
-
Designate an authentication-exempted port as an access port, but not as an authentication port.
Command examples
-
(config)# vlan 50 mac-based
(config-vlan)# state active
(config-vlan)# exit
(config)# interface gigabitethernet 1/0/10
(config-if)# switchport mode access
(config-if)# switchport access vlan 50
(config-if)# exit
Permits access by unauthenticated terminals to MAC VLAN ID 50 from port 1/0/10.
(4) Configuring Dynamic VLAN Authentication-Exception Terminals
Use the following procedure to specify the MAC address of a terminal to be permitted access in dynamic VLAN mode without the need for authentication.
- Points to note
-
Register the MAC address of an authentication-exempted terminal in a MAC VLAN and a MAC address table.
Command examples
-
(config)# vlan 50 mac-based
(config-vlan)# mac-address 0012.e212.3456
(config-vlan)# exit
(config)# mac-address-table static 0012.e212.3456 vlan 50 interface gigabitethernet 1/0/10
Set port 1/0/10 of MAC VLAN ID 50 to MAC of the terminal that is to be allowed to communicate without authenticating.
(5) Setting the Authentication Exclusion Port for Legacy Mode
Use the commands below to configure a port to be permitted access in legacy mode without the need for authentication.
- Points to note
-
Designate an authentication-exempted port as an access port.
Command examples
-
(config)# vlan 50 mac-based
(config-vlan)# state active
(config-vlan)# exit
(config)# interface gigabitethernet 1/0/10
(config-if)# switchport mode access
(config-if)# switchport access vlan 50
(config-if)# exit
Permits access by unauthenticated terminals to MAC VLAN ID 50 from port 1/0/10.
(6) Setting up an authorization exemption terminal in Legacy mode
Use the commands below to specify the MAC address of a terminal to be permitted access in legacy mode without the need for authentication.
- Points to note
-
Register the MAC address of an authentication-exempted terminal in a MAC VLAN.
Command examples
-
(config)# vlan 50 mac-based
(config-vlan)# mac-address 0012.e212.3456
(config-vlan)# exit
Specifies the MAC address of a terminal to be permitted access to MAC VLAN ID 50 without the need for authentication.