Configuring 802.1X
MAC Authentication Bypass
You can configure the Cisco NX-OS device to authorize a supplicant based on the supplicant MAC address
by using the MAC authentication bypass feature. For example, you can enable this feature on interfaces
configured for 802.1X that are connected to devices such as printers.
If 802.1X authentication times out while waiting for an EAPOL response from the supplicant, the Cisco
NX-OS device tries to authorize the client by using MAC authentication bypass.
When you enable the MAC authentication bypass feature on an interface, the Cisco NX-OS device uses the
MAC address as the supplicant identity. The authentication server has a database of supplicant MAC addresses
that are allowed network access. After detecting a client on the interface, the Cisco NX-OS device waits for
an Ethernet packet from the client. The Cisco NX-OS device sends the authentication server a
RADIUS-access/request frame with a username and password based on the MAC address. If authorization
succeeds, the Cisco NX-OS device grants the client access to the network.
If an EAPOL packet is detected on the interface during the lifetime of the link, the Cisco NX-OS device
determines that the device connected to that interface is an 802.1X-capable supplicant and uses 802.1X
authentication (not MAC authentication bypass) to authorize the interface. EAPOL history is cleared if the
interface link status goes down.
If the Cisco NX-OS device already authorized an interface by using MAC authentication bypass and detects
an 802.1X supplicant, the Cisco NX-OS device does not unauthorize the client connected to the interface.
When reauthentication occurs, the Cisco NX-OS device uses 802.1X authentication as the preferred
reauthentication process.
Clients that were authorized with MAC authentication bypass can be reauthenticated. The reauthentication
process is the same as that for clients that were authenticated with 802.1X. During reauthentication, the port
remains in the previously assigned VLAN. If reauthentication is successful, the switch keeps the port in the
same VLAN.
If reauthentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the
Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute
(Attribute [29]) action is Initialize (the attribute value is DEFAULT), the MAC authentication bypass session
ends, and connectivity is lost during reauthentication. If MAC authentication bypass is enabled and the 802.1X
authentication times out, the switch uses the MAC authentication bypass feature to initiate reauthorization.
For more information about these AV pairs, see RFC 3580, IEEE 802.1X Remote Authentication Dial In User
Service (RADIUS) Usage Guidelines.
MAC authentication bypass interacts with the following features:
• 802.1X authentication—You can enable MAC authentication bypass only if 802.1X authentication is
• Port security—You can configure 802.1X authentication and port security on the same Layer 2 ports.
• Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an 802.1X port
Dynamic VLAN Assignment based on MAC-Based Authentication (MAB)
The Cisco Nexus 9000 Series switches supports dynamic VLAN assignment. After the 802.1x authentication
or MAB is completed; before bringing up the port, you may want to (as part of authorization) allow the
peer/host to be placed into a particular VLAN based as a result of the authentication. The RADIUS server
enabled on the port.
is authenticated with MAC authentication bypass, including hosts in the exception list.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
MAC Authentication Bypass
181