I want to present a quite interesting scenario that you might find helpful sometime.
How about if we want to use 802.1x authentication with a radius server to authenticate more users on an interface.
Ohh, yes. This is not that hard because we can configure 802.1x based on MAC address and authenticate all users of the interface.
What if we want to authenticate just some users of the interface and let the others access our network without any restrictions because they are our really good friends. How can we do this on our switches?
To explain our proposed solution I would take as reference the picture bellow :
As you can see they are both connected to the same interface, so what can we do?
First we have to configure the interface as hybrid to allow both tagged and untagged packets. We also have to enable the voice VLAN function on the interface and to configure the VLAN in question.
After this we remember that the device can manage users through domains. In this case, we can configure two domains: one for users that will need radius authentication and we will name it radius4you domain and one for users that won’t need authentication and we will call it noauth4phone domain.
For this in the AAA view we will create the domains I have just specified and we will set a radius authentication scheme to one and no authentication for the lucky one.
After we configure the interface, create the domains and the radius server template (check the hedex) we should enable and configure the dot1x authentication in the system and interface view.
As a result the switch authenticates the computer with the radius server conform to the radius4you domain configured.
Since we don’t want to authenticate the phone we tried to trick the switch with the dot1x mac-bypass command. Because we used this command, when the switch tries to authenticate the phone and the dot1x authentication fails, the switch will use the MAC address of the phone for authentication. Since we created a MAC authentication domain where no authentication is necessary, when the dot1x authentication fails, the devices that have the MAC address specified in the mac-authen domain won’t be authenticated at all.
The configuration example :
voice-vlan mac-address 04c5-a44c-98b1 mask ffff-ffff-ffff description phone //Specifies the OUI address of voice packets that can be transmitted in the voice VLAN
dot1x enable //enable dot1x in system view
dot1x timer reauthenticate-period 100 //sets the re-authentication interval for 802.1x authentication
mac-authen enable // enables MAC address authentication
mac-authen domain noauth4phone mac-address 04c5-a44c-98b1 mask ffff-ffff-ffff //configures an authentication domain for MAC address authentication users
accounting start-fail online
domain noauth4phone // creates nouaht4phone domain in aaa view
authentication-scheme noauth // applies the noauth authentication-scheme to the noauth4phone domain
The interface view?
voice-vlan 184 enable // configures and enables the 184 voice vlan
voice-vlan mode manual
voice-vlan legacy enable //enables CDP-compatible Voice VLAN function
port hybrid pvid vlan 183
port hybrid tagged vlan 184
port hybrid untagged vlan 183
bpdu bridge enable
dot1x mac-bypass //Once 802.1x authentication fails, the device uses the MAC address for authentication
I hope this example is helpful if you want to configure this scenario in the future. Thank you