Skip to main content
Cisco SD-WAN
Product Documentation
Viptela Documentation


vpn interface dot1x mac-authentication-bypass—Enable authentication for non-802.1X–compliant clients (on vEdge routers only). These clients are authenticated based on their MAC address.

A non-802.1X–compliant client is one that does not respond to EAP identity requests from the vEdge router.

After the 802.1X interface detects a client, it waits to receive an Ethernet packet from the client. Then the router sends a RADIUS access/request frame to the authentication server that includes a username and password based on the MAC address. If authorization succeeds, the router grants the client access to the WAN or WLAN. If authorization fails, the router assigns the interface to the guest VLAN if one is configured.

vManage Feature Template

For vEdge routers only:

Configuration ► Templates ► VPN Interface Ethernet

Command Hierarchy

vpn vpn-id
  interface interface-name
        allow mac-addresses


Enable Authentication for Non-802.1X–Compliant Hosts
Turn on authentication for non-802.1X–compliant clients.
Enable Authentication for Specific Devices
allow mac-addresses
Turn on authentication for one or more devices based on their MAC address, as listed in mac-addresses, before performing an authentication check with the RADIUS server. You can configure up to eight MAC addresses for MAC authentication bypass.
Enable Authentication via a RADIUS Server
Authenticate non-802.1X–compliant clients using a RADIUS server. This option enables MAC authentication bypass on the RADIUS server.


Enable MAC authentication bypass:

vpn 0
  interface ge0/0

Release Information

Command introduced in Viptela Software Release 16.3.​

Additional Information


  • Was this article helpful?