Filter
Top Products
8-19
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 8 Configuring AAA Rules for Network Access
Using MAC Addresses to Exempt Traffic from Authentication and Authorization
of these users, you can enable AAA to allow only authenticated and/or authorized users to connect
through the ASA. (The Telnet server enforces authentication, too; the ASA prevents unauthorized users
from attempting to access the server.)
Using MAC Addresses to Exempt Traffic from Authentication
and Authorization
The ASA can exempt from authentication and authorization any traffic from specific MAC addresses.
For example, if the ASA authenticates TCP traffic originating on a particular network but you want to
allow unauthenticated TCP connections from a specific server, you would use a MAC exempt rule to
exempt from authentication and authorization any traffic from the server specified by the rule. This
feature is particularly useful to exempt devices such as IP phones that cannot respond to authentication
prompts.
The order of entries matters, because the packet uses the first entry it matches, instead of a best match
scenario. If you have a permit entry, and you want to deny an address that is allowed by the permit entry,
be sure to enter the deny entry before the permit entry.
To use MAC addresses to exempt traffic from authentication and authorization, perform the following
steps:
Step 1 In the Configuration > Firewall > AAA Rules pane, choose Add > Add MAC Exempt Rule.
The Add MAC Exempt Rule dialog box appears.
Step 2 In the Action drop-down list, click one of the following options, depending on the implementation:
• MAC Exempt
• No MAC Exempt
The MAC Exempt option allows traffic from the MAC address without having to authenticate or
authorize. The No MAC Exempt option specifies a MAC address that is not exempt from authentication
or authorization. You might need to add a deny entry if you permit a range of MAC addresses using a
MAC address mask such as ffff.ffff.0000, and you want to force a MAC address in that range to be
authenticated and authorized.
Step 3 In the MAC Address field, specify the source MAC address in 12-digit hexadecimal form; that is,
nnnn.nnnn.nnnn.
Step 4 In the MAC Mask field, specify the portion of the MAC address that should be used for matching. For
example, ffff.ffff.ffff matches the MAC address exactly. ffff.ffff.0000 matches only the first 8 digits.
Step 5 Click OK.
The Add MAC Exempt Rule dialog box closes and the rule appears in the AAA Rules table.
Step 6 Click Apply.
The changes are saved to the running configuration.