11.1.5 How to Configure Authentication Exceptions

(1) Configuring Persistent VLAN Authentication-Exception Ports

Use the following procedure to configure a port to be permitted access in fixed VLAN mode without the need for authentication.

Points to note

Do not designate an authentication-exempted port as an authentication port.

Command examples

1. (config)# vlan 10

   (config-vlan)# state active

   (config-vlan)# exit

   (config)# interface gigabitethernet 1/0/4

   (config-if)# switchport mode access

   (config-if)# switchport access vlan 10

   (config-if)# mac-authentication port

   (config-if)# exit

   (config)# interface gigabitethernet 1/0/10

   (config-if)# switchport mode access

   (config-if)# switchport access vlan 10

   (config-if)# exit

   Specifies port 1/0/4, which is assigned to VLAN ID 10 in fixed VLAN mode, as an authentication port. This procedure then configures port 1/0/10 to be permitted access without the need for authentication.

(2) Configuring Unauthorized Terminals for Fixed VLAN Mode

Use the following procedure to specify the MAC address of a terminal to be permitted access in fixed VLAN mode without the need for authentication.

Points to note

Register the MAC address of an authentication-exempted terminal in the MAC address table.

Command examples

1. (config)# vlan 10

   (config-vlan)# state active

   (config-vlan)# exit

   (config)# mac-address-table static 0012.e212.3456 vlan 10 interface gigabitethernet 1/0/10

   Specifies the MAC address of a terminal to be permitted access to port 1/0/10 with VLAN ID 10, without the need for authentication.

(3) Configuring Dynamic VLAN Authentication-Exception Ports

Uses the following procedure to configure a port to be permitted access in dynamic VLAN mode without the need for authentication.

Points to note

Do not designate an authentication-exempted port as an authentication port.

Command examples

1. (config)# vlan 10

   (config-vlan)# state active

   (config-vlan)# exit

   (config)# interface gigabitethernet 1/0/4

   (config-if)# switchport mode mac-vlan

   (config-if)# switchport mac vlan 20

   (config-if)# switchport mac native vlan 10

   (config-if)# mac-authentication port

   (config-if)# exit

   (config)# interface gigabitethernet 1/0/10

   (config-if)# switchport mode access

   (config-if)# switchport access vlan 20

   (config-if)# exit

   Specifies port 1/0/4, which is assigned to MAC VLAN ID 20 in dynamic VLAN mode, as an authentication port. This procedure then configures port 1/0/10 to be permitted access without the need for authentication.

(4) Configuring Dynamic VLAN Authentication-Exception Terminals

Use the following procedure to specify the MAC address of a terminal to be permitted access in dynamic VLAN mode without the need for authentication.

Points to note

Register the MAC address of an authentication-exempted terminal in a MAC VLAN and a MAC address table.

Command examples

1. (config)# vlan 20 mac-based

   (config-vlan)# mac-address 0012.e212.3456

   (config-vlan)# exit

   (config)# mac-address-table static 0012.e212.3456 vlan 20 interface gigabitethernet 1/0/10

   Specifies the MAC address of a terminal to be permitted access to MAC VLAN 20 through port 1/0/10 without the need for authentication.

(5) Dot1q Configuration MAC Port-Authentication Exclusion Settings

Points to note

Configure the switch to exempt tagged frames received at a MAC port with dot1q configured from authentication.

Command examples

1. (config)# interface gigabitethernet 1/0/20

   (config-if)# switchport mode mac-vlan

   (config-if)# switchport mac vlan 20

   (config-if)# switchport mac native vlan 10

   (config-if)# switchport mac dot1q vlan 100

   (config-if)# mac-authentication port

   (config-if)# mac-authentication dot1q-vlan force-authorized

   (config-if)# exit

   Configures settings so that the tagged frames received at MAC-based authentication port 1/0/20 and destined for VLAN ID 100 are exempted from authentication.