Request Demo
Features Use Cases About Documentation Contact Request Demo

MAC Authentication & 802.1X

Authenticate devices by MAC address with dynamic VLAN assignment

What's This For?

MAC Authentication Bypass (MAB) lets you authenticate devices that can't do 802.1X - printers, IP phones, IoT sensors, and other network devices. Warden matches the device's MAC address against your configured lists and can assign VLANs, ACLs, and other attributes based on the match.

802.1X + MAB: Most switches support trying 802.1X first, then falling back to MAB if the device doesn't respond. This gives you the best of both worlds.

Setting Up MAC Address Lists

Step 1: Create a MAC Address List

  1. Go to My Providers
  2. Click Add Provider
  3. Select MAC Address List as the type
  4. Choose Allow or Deny mode:
    • Allow list: Only listed MACs authenticate successfully
    • Deny list: All MACs authenticate except those listed

Step 2: Add MAC Addresses

For each device, you can specify:

MAC Address
The device's MAC address in any common format
00:11:22:33:44:55 - Colon-separated
00-11-22-33-44-55 - Dash-separated
0011.2233.4455 - Cisco dot notation
001122334455 - No separators
Name
Friendly name for the device
Conference Room Phone
VLAN
VLAN ID for dynamic VLAN assignment
150 for voice VLAN
Group
Group name for ACL or filter assignment
phones or printers

Wildcard & OUI Matching

Instead of adding every device individually, you can use wildcards to match multiple devices by their manufacturer (OUI prefix).

Wildcard Matching

Use X to match any hex digit:

0004F2XXXXXX    # Matches any Polycom phone
00:1A:2B:XX:XX:XX    # Matches any device with OUI 00:1A:2B

OUI Prefix Matching

Enter just the first 6+ characters to match all devices from a vendor:

0004F2    # Matches all Polycom devices (00:04:F2:*:*:*)
001122    # Matches all devices starting with 00:11:22

OUI Lookup Tool

@if (!ouiAvailable()) {
Activate a license to enable the OUI lookup database.
} @else {

Enter a MAC address or OUI to find the manufacturer:

MAC Address or OUI Enter at least 6 hex characters
OUI:
}

Common OUI Prefixes

OUI Vendor Common Devices
0004F2 Polycom VoIP phones, video conferencing
001B4F Avaya IP phones, conferencing
00E0BB Cisco/Meraki VoIP phones
001E4A Cisco/Tandberg Video endpoints
00195B D-Link Network cameras, IoT
0017C5 SonicWALL Network appliances
B4B52F Hewlett Packard Printers
3C2C30 HP Inc Printers
00183E Dell iDRAC, servers
001438 Hewlett Packard iLO, servers

Dynamic VLAN Assignment

Warden can tell your switch which VLAN to put the device on based on the MAC entry's VLAN field. This is perfect for segmenting phones, printers, and IoT devices.

Setting Up Dynamic VLAN

  1. In your MAC Address List, set the VLAN field for each entry
  2. Go to Policies and edit your policy
  3. Under Response Attributes, click Templates
  4. Select MAC Auth / 802.1X category
  5. Add MAB - VLAN from IDP template

This adds three required RADIUS attributes:

Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = @any.vlan

VLAN must exist: The VLAN ID returned by Warden must be configured on your switch. If the VLAN doesn't exist, the port may remain unauthorized.

Switch Configuration Examples

Juniper EX Series

Configure 802.1X with MAC fallback:

Juniper EX (ELS)
Stanza Display Set 
access 
    radius-server 
        10.1.1.100 
            port 1812;
            secret "YourSharedSecret";
            source-address 10.1.1.1;
        {{ '}' }}
    {{ '}' }}
    profile WARDEN-AUTH 
        authentication-order [ dot1x mac-radius ];
        radius 
            authentication-server 10.1.1.100;
            accounting-server 10.1.1.100;
        {{ '}' }}
    {{ '}' }}
{{ '}' }}

protocols 
    dot1x 
        authenticator 
            authentication-profile-name WARDEN-AUTH;
            interface 
                all;
                ge-0/0/1 
                    supplicant multiple;
                    mac-radius 
                        restrict;
                    {{ '}' }}
                {{ '}' }}
            {{ '}' }}
        {{ '}' }}
    {{ '}' }}
{{ '}' }}

vlans 
    EMPLOYEES 
        vlan-id 100;
    {{ '}' }}
    PHONES 
        vlan-id 150;
    {{ '}' }}
    PRINTERS 
        vlan-id 200;
    {{ '}' }}
{{ '}' }}
set access radius-server 10.1.1.100 port 1812
set access radius-server 10.1.1.100 secret "YourSharedSecret"
set access radius-server 10.1.1.100 source-address 10.1.1.1
set access profile WARDEN-AUTH authentication-order dot1x
set access profile WARDEN-AUTH authentication-order mac-radius
set access profile WARDEN-AUTH radius authentication-server 10.1.1.100
set access profile WARDEN-AUTH radius accounting-server 10.1.1.100
set protocols dot1x authenticator authentication-profile-name WARDEN-AUTH
set protocols dot1x authenticator interface all
set protocols dot1x authenticator interface ge-0/0/1 supplicant multiple
set protocols dot1x authenticator interface ge-0/0/1 mac-radius
set protocols dot1x authenticator interface ge-0/0/1 mac-radius restrict
set vlans EMPLOYEES vlan-id 100
set vlans PHONES vlan-id 150
set vlans PRINTERS vlan-id 200
Cisco Catalyst
! Configure RADIUS server
radius server WARDEN
  address ipv4 10.1.1.100 auth-port 1812 acct-port 1813
  key YourSharedSecret

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius

! Enable 802.1X globally
dot1x system-auth-control

! Configure interface
interface GigabitEthernet1/0/1
  switchport mode access
  switchport access vlan 100
  authentication port-control auto
  authentication order dot1x mab
  authentication priority dot1x mab
  mab
  dot1x pae authenticator
  spanning-tree portfast
Aruba/HPE ProCurve
! Configure RADIUS server
radius-server host 10.1.1.100 key "YourSharedSecret"

! Enable 802.1X
aaa port-access authenticator active

! Configure interface
interface 1
  aaa port-access authenticator
  aaa port-access mac-based
  aaa port-access auth-order authenticator mac-based
Aruba CX (AOS-CX)
! Configure RADIUS server
radius-server host 10.1.1.100 key plaintext "YourSharedSecret"

! Configure AAA
aaa authentication port-access dot1x authenticator
  radius server-group WARDEN

aaa authentication port-access mac-auth
  radius server-group WARDEN

! Configure interface
interface 1/1/1
  aaa authentication port-access dot1x authenticator
  aaa authentication port-access mac-auth
  aaa authentication port-access auth-priority dot1x mac-auth
Extreme Networks (EXOS)
! Configure RADIUS server
configure radius netlogin primary server 10.1.1.100 1812 client-ip 10.1.1.1 shared-secret YourSharedSecret

! Enable netlogin
enable netlogin dot1x
enable netlogin mac

! Configure port
configure netlogin ports 1 mode port-based-vlans
configure netlogin ports 1 authentication-database-order dot1x mac-radius
Ruckus ICX
! Configure RADIUS server
radius-server host 10.1.1.100 auth-port 1812 acct-port 1813 key YourSharedSecret

aaa authentication dot1x default radius
aaa authentication mac-auth default radius

! Configure interface
interface ethernet 1/1/1
  dot1x port-control auto
  mac-authentication enable
  authentication auth-order dot1x mac-auth

Authentication Order Options

Most switches let you configure the order of authentication methods:

Setting Behavior
dot1x 802.1X only - fails if device doesn't support EAP
mac-radius MAC Auth only - authenticates using MAC as username/password
dot1x mac-radius Try 802.1X first, fall back to MAC if no EAP response
mac-radius dot1x Try MAC first, then 802.1X if MAC auth fails

Recommended: Use dot1x mac-radius for most deployments. This ensures computers and phones use 802.1X when possible, while printers and IoT devices fall back to MAC auth.

Using Expression Variables

In policy response attributes, use these expressions to reference MAC entry data:

Expression Description
@any.vlan VLAN from matched MAC entry
@any.group Group from matched MAC entry
@any.name Name from matched MAC entry
@any.description Description from matched MAC entry
@any.match_type How the match was made: exact, wildcard, or prefix

You can combine with fallbacks:

@any.vlan ?? 999           # Use entry VLAN, or 999 if not set
@any.group ?? "default"    # Use entry group, or "default" if not set

Troubleshooting

Device Not Authenticating

  • Check RADIUS connectivity: Can the switch reach Warden on UDP 1812?
  • Verify shared secret: Must match exactly (case-sensitive)
  • Check NAC Tracer: Watch live authentication attempts in the Warden UI
  • Review MAC format: Warden normalizes all formats, but double-check the entry

VLAN Not Applied

  • VLAN must exist: Create the VLAN on your switch first
  • Check all three Tunnel attributes: You need Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-Id
  • Not a trunk port: Dynamic VLAN doesn't work on trunk ports

Wildcard Not Matching

  • Use lowercase or uppercase X: Both work, but be consistent
  • Check length: Wildcards need the right number of characters (12 for full MAC)
  • OUI prefix: For prefix matching, use exactly 6+ characters without wildcards

Related Topics

Response Attributes RADIUS Configuration Reading NAC Traces