Reset Search



How to use MAC authentication bypass on WING

« Go Back


TitleHow to use MAC authentication bypass on WING
How to use MAC authentication on WiNG devices?
  • All Summit WM3000 Series Controllers
  • ExtremeWiNG Controllers
  • WirelessWiNG Controllers
  • ExtremeWiNG Access Points
  • WirelessWiNG Acess Points
  • WiNG 5.5+ Software
First you need to create AAA policy to handle requests in expected way (MAC format)
aaa-policy AAA
 authentication server 1 onboard centralized-controller

 authentication server 1 host secret 0 helloextr 

VX(config-aaa-policy-AAA)# mac-address-format ?
  middle-hyphen  Formatted as AABBCC-DDEEFF
  no-delim       Formatted as AABBCCDDEEFF
  pair-colon     Formatted as AA:BB:CC:DD:EE:FF
  pair-hyphen    Formatted as AA-BB-CC-DD-EE-FF (default)
  quad-dot       Formatted as AABB.CCDD.EEFF
Optionally, create RADIUS group to set policy
radius-group AAA
 policy ssid MAC
 policy vlan 88

Based on above setup, create RADIUS user pool having the specific MAC format as username + password
radius-user-pool-policy AAA
 user <MAC> password 0 <MAC> group <optional>


user E4-E4-AB-2D-24-EA password 0 E4-E4-AB-2D-24-EA group AAA

Now you shall create RADIUS server policy, map user pool and group
radius-server-policy AAA
 use radius-user-pool-policy AAA
 nas secret 0 helloextr
 use radius-group AAA

Map the policy to your (centralized) controller or host with configured IP (
VX(config-device-self)# use radius-server-policy AAA

Now create the WLAN as below and map it to required AP / radio
wlan MAC
 ssid MAC
 vlan 88
 bridging-mode local
 encryption-type none
 authentication-type mac
 use aaa-policy AAA

To confirm / troubleshoot this use remote-debug command
VX# remote-debug wireless hosts <APbroadcastingMAC> clients all max-events 5000 events all
Printing upto 5000 messages from each remote system for upto 60 seconds. Use Ctrl-C to abort
[AP] 09:43:57.292: mgmt:tx association-rsp success to E4-E4-AB-2D-24-EA on wlan (MAC) (ssid:MAC) with ftie 0 (mgmt.c:3522)
[AP] 09:43:57.293: client:wireless client E4-E4-AB-2D-24-EA changing state from [Roaming] to [MAC Auth] (mgmt.c:622)
[AP] 09:43:57.293: radius:aaa-policy AAA user: E4-E4-AB-2D-24-EA mac: E4-E4-AB-2D-24-EA server_is_candidate: 1 0 0 0 0 0 (radius.c:
[AP] 09:43:57.295: radius:access-req sent to wireless controller to be proxied via its adopter centralized controller (if any) to 1
[AP] 09:43:57.302: radius:rx Client-Group-Name [AAA] for E4-E4-AB-2D-24-EA (radius.c:1825)
[AP] 09:43:57.302: radius:rx Allowed-SSID [MAC] for E4-E4-AB-2D-24-EA (radius.c:1899)
[AP] 09:43:57.302: radius:rx access-accept for E4-E4-AB-2D-24-EA (radius.c:3590)
[AP] 09:43:57.302: client:wireless client E4-E4-AB-2D-24-EA changing state from [MAC Auth] to [Data-Ready] (mgmt.c:622)
[AP] 09:43:57.304: client:setting mac_auth_success[1] at credcache for E4-E4-AB-2D-24-EA and expiry (credcache.c:800)
Additional notes
Default MAC format used is following
mac-address-format pair-hyphen case upper attributes username-password




Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255