11.1.5 How to Configure Authentication Exceptions
This section describes how to MAC-based authentication-exempted ports and terminals.
- <Structure of this section>
(1) Configuring Persistent VLAN Authentication-Exception Ports
Use the following procedure to configure a port to be permitted access in fixed VLAN mode without the need for authentication.
- Points to note
-
Do not designate an authentication-exempted port as an authentication port.
Command examples
-
(config)# vlan 10
(config-vlan)# state active
(config-vlan)# exit
(config)# interface gigabitethernet 1/0/4
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# mac-authentication port
(config-if)# exit
(config)# interface gigabitethernet 1/0/10
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# exit
Specifies port 1/0/4, which is assigned to VLAN ID 10 in fixed VLAN mode, as an authentication port. This procedure then configures port 1/0/10 to be permitted access without the need for authentication.
(2) Configuring Unauthorized Terminals for Fixed VLAN Mode
Use the following procedure to specify the MAC address of a terminal to be permitted access in fixed VLAN mode without the need for authentication.
- Points to note
-
Register the MAC address of an authentication-exempted terminal in the MAC address table.
Command examples
-
(config)# vlan 10
(config-vlan)# state active
(config-vlan)# exit
(config)# mac-address-table static 0012.e212.3456 vlan 10 interface gigabitethernet 1/0/10
Specifies the MAC address of a terminal to be permitted access to port 1/0/10 with VLAN ID 10, without the need for authentication.
(3) Configuring Dynamic VLAN Authentication-Exception Ports
Uses the following procedure to configure a port to be permitted access in dynamic VLAN mode without the need for authentication.
- Points to note
-
Do not designate an authentication-exempted port as an authentication port.
Command examples
-
(config)# vlan 10
(config-vlan)# state active
(config-vlan)# exit
(config)# interface gigabitethernet 1/0/4
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac vlan 20
(config-if)# switchport mac native vlan 10
(config-if)# mac-authentication port
(config-if)# exit
(config)# interface gigabitethernet 1/0/10
(config-if)# switchport mode access
(config-if)# switchport access vlan 20
(config-if)# exit
Specifies port 1/0/4, which is assigned to MAC VLAN ID 20 in dynamic VLAN mode, as an authentication port. This procedure then configures port 1/0/10 to be permitted access without the need for authentication.
(4) Configuring Dynamic VLAN Authentication-Exception Terminals
Use the following procedure to specify the MAC address of a terminal to be permitted access in dynamic VLAN mode without the need for authentication.
- Points to note
-
Register the MAC address of an authentication-exempted terminal in a MAC VLAN and a MAC address table.
Command examples
-
(config)# vlan 20 mac-based
(config-vlan)# mac-address 0012.e212.3456
(config-vlan)# exit
(config)# mac-address-table static 0012.e212.3456 vlan 20 interface gigabitethernet 1/0/10
Specifies the MAC address of a terminal to be permitted access to MAC VLAN 20 through port 1/0/10 without the need for authentication.
(5) Dot1q Configuration MAC Port-Authentication Exclusion Settings
- Points to note
-
Configure the switch to exempt tagged frames received at a MAC port with dot1q configured from authentication.
Command examples
-
(config)# interface gigabitethernet 1/0/20
(config-if)# switchport mode mac-vlan
(config-if)# switchport mac vlan 20
(config-if)# switchport mac native vlan 10
(config-if)# switchport mac dot1q vlan 100
(config-if)# mac-authentication port
(config-if)# mac-authentication dot1q-vlan force-authorized
(config-if)# exit
Configures settings so that the tagged frames received at MAC-based authentication port 1/0/20 and destined for VLAN ID 100 are exempted from authentication.