Showing results for 
Search instead for 
Did you mean: 

MAC based Authentication on ACS


Hello everyone,

I am trying to get ACS to do MAC based authentication where upon client connection the switch forward the MAC address of the client to ACS to either authorize or unauthorize the port. I need to do this in an agentless fashion as most of the devices are not Windows based. Problems

1) Where to put the MAC addrtss in ACS. I am getting told 2 different things. One way is the create a user with the MAC address as the username AND password, have ACS reference the internal datyabase and I should be good the second way I am being told is with Network Access Profiles. Create a profile then under Athentication", enter the MAC address under Internal ACS DB.

SO far both was are still making the Windows based machines prompt for a user name and password. I can't have that. It has to be transparent to the end user. Can any point me in the right direction?

Thanks in advance! All replies rated.

16 Replies 16

Jagdeep Gambhir

You can go through MAC Auth bypass feature from following link:

12.2(37)SE - "Using IEEE 802.1x Authentication with MAC Authentication Bypass"

Configuring MAC Auth bypass on 12.2(37)SE:

----------Commands Required on Switch--------------

aaa new-model

aaa authentication dot1x default group radius

dot1x system-auth-control

radius-server host

radius-server key

config t


switchport access vlan

dot1x port-control auto

dot1x mac-auth-bypass

dot1x timeout quiet-period 15

dot1x timeout tx-period 3

dot1x reauthentication

Create a AAA Client entry for the switch in ACS from Network configuration section.

And use the Authentication Protocol as RADIUS (Cisco IOS....)

And on ACS create an account for the client as,

Username : 0015c53ae40d

Password : 0015c53ae40d

If the MAC address of the client is 00-15-C5-3A-E4-0D



Thanks. I can't get it working. I do have Network Devices Groups configured. DO you have this in your setup? COuld this be causing a problem?

either 802.1x client or nac client unistalled or turn of before doing the test



just make sure the client is not install or running on th window base client, if you want to use mac anthetication.




I was handling my last project with AP with MAC based authentication. Please do the will definitely work..

1. Create 1 vlan in any of the switches for MAC based authentication purpose. Say the VLAn id is VLAN 900 (IP:

2. In ACS go to "Group Setup".Assign a name say "MAC"

3. Scroll down & go to "IETF RADIUS ATTRIBUTES". Go to Value 64 (Tunnel -Type). Choose Tag 1 & select VLAN from the drill down option.

4. Scroll down & go to "IETF RADIUS ATTRIBUTES". Go to Value 65 (Tunnel-Medium-Type). Choose Tag 1 & select 802 from the drill down option.

5. Scroll down & go to "IETF RADIUS ATTRIBUTES". Go to Value 81 (Tunnel -Type). Choose Tag 1 & write the vlan id no that u created into core/distribution for MAC based authentication purpose (we created VLAN write 900)

6. Now come to "User Setup".

7. Add the MAC address of wireless nic card of one of the laptop/desktop.

8. Click on edit.

9. In real name write the mac address of the wireless nic card of the end user in small letter without any space.

10. In Password Authentication select "ACS Internal Database " from the drill down menu.

11. In password & confirm password value write the mac address of that very registered user that we did in step 7.

12. Select the Group (that we created into step 2) MAC from the drill down menu in "Group to which the user is assigned"

13. Repect step 3,4 & 5 again in "IETF RADIU ATTRIBUTES"

14. In "network configuration" add ACS in AAA server setup & the corresponding AP in AAA client.

15. In AAA server setup provide IP of ACS, give the key, in AAA server type select "CiscoSecure ACS" from the drill down menu.

16. In AAA client setup add the IP of the AP,shared secret (must be same in ACS & AP). I "Authentication Using" option select "Radius-Cisco Aironet" from the drill down option.

17. From "system configuration" go to logging option & enable the reuired log settings so that passed/failed logs u can get.

18. Now go to AP.

19. In Server Manager from "Security" option.

20. Add the ACS server IP & give the shard secret key (it must be same in AP & ACS). Leave authentication & authorization port field default. Apply. Now go down & select the ACS server IP from MAC authentication option.

21. Clink on "Global Properties". Select "Unformatted" from "RADIUS calling/called station id format.

22. Go to "Local Radius Server". Click on "General Setup" click on :MAC" & apply.

23. Now go to "Services" & select "VLAN"

24. Crete the vlan 900 that we created for mac based authentication purpose.

25. Now go to "SSID MANAGER". Click on new & write the desired SSID name. From VLAn field drill down to select the "VLAN 900"

26. Under "Client Authentication Setting" select "With MAC authentication" from open authentication field. Under mac authentication server select the ACS IP from drill down option.

27. Make sure the switch port that is connected with AP is in trunk mode. do the following

" switchport trunk en dot1q"

" switchport truen native vlan 901"--AP ip will be from any ip of the native vlan that is created in core/distribution.

"switchport mode trunk "

27. Make sure from the end switch with whom the AP is connected, the native & MAC vlan ip is pinging.

U r done!!!!

Plz rate if possible!!!!

I am working on a similiar setup but cannot get this to work as you stated. Within my ACS failed authentication log I get ACS password invalid when attempting to authenticate via MAC. I do have the mac entered as the user and the password the same as the user. Any ideas?

I'm doing this now for approx 300 mac addys in my MAB table. However i'm not using the username functions. The Network access profile has worked since day one. There were some caveats from the switch side, using voip phones, and a variety of weird issues w/ cisco ATA's and AP's not working w/ dot1x and cdp. Also saw HP printers throwing out some strange mac addresses which caused failures via dot1x's built in single host features. What we ended up doing was to return to the old method of guest access w/ the command "dot1x guest-vlan supplicant" this seemed to help along with the newer code versions. As far as the Network access profile, its quite simple create one. under the authentication tab place your mac address in, be careful here we had a few issues with following specific naming conventions,, we stuck with upper case 00:00:AA:BB:CC:00 type format. And make sure you assign the NAP to drop authenticated macs into the proper NDG. Update if your still having issues. Pretty happy with the overall setup 2000+ eap clients and 300+ MAB over 40+ 4500's.


It can be made to work either way. MAC-Auth-Bypass as described in switch documentation explains the use of using MAC as username/password. This should work much the same way WLAN APs have been doing this for years, and as discussed in this thread.

Alternatively, you could configure a NAP to have ACS not authenticate the request at all, but choose to authorize the session solely based on the Calling-Station-ID (RADIUS Attribute [31]) which is also the MAC Address of the end station. This would be a form of MAC filtering that would technically be possible via any RADIUS transaction if it was configured to do so.

Hope this helps,

Does the MAC-Auth-Bypass described in the switch documentation apply when working with an AP? We currently use mac-address checking within the AP but I'm wanting to move that to and ACS server so it is easier to manange when I add additional laptops for access as well as when we add additional APs.

Thanks for the information on MAC-Auth-Bypass.

Yes, it's effectively the same. Consult the product documentation for this on APs and the mechanism is the same, but for example on an AP you could fail a MAC-Authentication and still get online with 802.1X, whereas on a single switchport, MAC-auth only attempts after 802.1X times out on the port.

Just a caution, had some issues w/ the A.P's and MAC bypass. CDP running on the A.P's seemed to interfere. Same thing happened w/ ATA's.


I am trying configure MAC authenitication bypass, snd it is working

but i want to start the MAC authentication without the 802.1x trails

how can I do this ? Is there is any command that enable MAC authentication without the 802.1x ?

My configuration :

interface GigabitEthernet0/48

switchport mode access

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 2

dot1x timeout reauth-period 240

dot1x timeout tx-period 2

dot1x max-reauth-req 1

dot1x reauthentication

spanning-tree portfast



Today, MAC-Auth is only avail as a timeout to 1X in support of a supplemental auth method.

Thanks for your reply

The MAC authentication is working fine

What if the Raduis Server is down ?

I want to configure if the Raduis is down/don't reply , the PC get assigned to default VLAN ( VLAN 1 ) and can access the network

How can I configure this issue ?

My existing configuration :-

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius


aaa session-id common

interface GigabitEthernet0/48

interface GigabitEthernet0/48

switchport mode access

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x timeout quiet-period 2

dot1x timeout tx-period 1

dot1x max-reauth-req 1

dot1x reauthentication

spanning-tree portfast



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: