38-20
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter38 Configuring AAA Rules for Network Access
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
The ASA can exempt from authentication and authorization any traffic from specific MAC addresses.
For example, if the ASA authenticates TCP traffic originating on a particular network, but you want to
allow unauthenticated TCP connections from a specific server, you would use a MAC exempt rule to
exempt from authentication and authorization any traffic from the server specified by the rule.
This feature is particularly useful to exempt devices such as IP phones that cannot respond to
authentication prompts.
To use MAC addresses to exempt traffic from authentication and authorization, perform the following
steps:
Command Purpose
Step1 mac-list id {deny | permit} mac macmask
Example:
hostname(config)# mac-list abc permit 00a0.c95d.0282
ffff.ffff.ffff
Configures a MAC list.
The id argument is the hexadecimal number that you
assign to the MAC list. To group a set of MAC
addresses, enter the mac-list command as many
times as needed with the same ID value. Because you
can only use one MAC list for AAA exemption, be
sure that your MAC list includes all the MAC
addresses that you want to exempt. You can create
multiple MAC lists, but you can only use one at a
time.
The order of entries matters, because the packet uses
the first entry it matches, instead of a best match
scenario. If you have a permit entry, and you want to
deny an address that is allowed by the permit entry,
be sure to enter the deny entry before the permit
entry.
The mac argument specifies the source MAC address
in 12-digit hexadecimal form; that is,
nnnn.nnnn.nnnn.
The macmask argument specifies the portion of the
MAC address that should be used for matching. For
example, ffff.ffff. ffff matches the M AC address
exactly. ffff.ffff.000 0 matches only the first 8 dig its.
Step2 aaa mac-exempt match id
Example:
hostname(config)# aaa mac-exempt match 1
Exempts traffic for the MAC addresses specified in a
particular MAC list.
The id argument is the string identifying the MAC
list that includes the MAC addresses whose traffic is
to be exempt from authentication and authorization.
You can only enter one instance of the aaa
mac-exempt match command.