Cisco ASA 5505 User Manual

Page 794

Advertising
background image

38-20

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 38 Configuring AAA Rules for Network Access

Using MAC Addresses to Exempt Traffic from Authentication and Authorization

Using MAC Addresses to Exempt Traffic from Authentication
and Authorization

The ASA can exempt from authentication and authorization any traffic from specific MAC addresses.
For example, if the ASA authenticates TCP traffic originating on a particular network, but you want to
allow unauthenticated TCP connections from a specific server, you would use a MAC exempt rule to
exempt from authentication and authorization any traffic from the server specified by the rule.

This feature is particularly useful to exempt devices such as IP phones that cannot respond to
authentication prompts.

To use MAC addresses to exempt traffic from authentication and authorization, perform the following
steps:

Command

Purpose

Step 1

mac-list

id {deny | permit} mac macmask

Example:

hostname(config)# mac-list abc permit 00a0.c95d.0282

ffff.ffff.ffff

Configures a MAC list.

The id argument is the hexadecimal number that you
assign to the MAC list. To group a set of MAC
addresses, enter the mac-list command as many
times as needed with the same ID value. Because you
can only use one MAC list for AAA exemption, be
sure that your MAC list includes all the MAC
addresses that you want to exempt. You can create
multiple MAC lists, but you can only use one at a
time.

The order of entries matters, because the packet uses
the first entry it matches, instead of a best match
scenario. If you have a permit entry, and you want to
deny an address that is allowed by the permit entry,
be sure to enter the deny entry before the permit
entry.

The mac argument specifies the source MAC address
in 12-digit hexadecimal form; that is,
nnnn.nnnn.nnnn.

The macmask argument specifies the portion of the
MAC address that should be used for matching. For
example, ffff.ffff.ffff matches the MAC address
exactly. ffff.ffff.0000 matches only the first 8 digits.

Step 2

aaa

mac-exempt match id

Example:

hostname(config)# aaa mac-exempt match 1

Exempts traffic for the MAC addresses specified in a
particular MAC list.

The id argument is the string identifying the MAC
list that includes the MAC addresses whose traffic is
to be exempt from authentication and authorization.

You can only enter one instance of the aaa
mac-exempt match command.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals