I have 3 Dell N3048Ps that are going to connect to printers and computers. The computers will be authenticated through dot1x, but the printers need to be authenticated by mac address.
Dot1x has been enabled, but it seems to take priority over port security, so when I force dot1x authentication it also forces port security to accept the mac address. If I don't force authentication, it still tries to verify the certificate before trying port security. Is there a way to change this without disabling dot1x globally?
I'm aware of MAB however I am trying to avoid adding MAC entries as users into the RADIUS server.
Here is an example of an interface configuration:
interface Gi1/0/1 switchport mode general switchport port-security switchport port-security dynamic 0 switchport port-security violation shutdown switchport port-security mac-address FFFF.FFFF.FFFF vlan 1 exit
This configuration does not allow devices without the certificate to connect while the interface with the "dot1x port-control force-authenticate" command allows the device regardless of the MAC address set in the interface configuration.
The force authenticate command also adds the device's MAC address to the table as a dynamic address, despite preventing the port from dynamically learning the addresses.
Any advice?
Thanks!
Best Answer
You can try to disable
dot1x port-controlon a specific interface under interface configuration mode usingnoform command ofno dot1x port-control ...