The authentication order mac dot1x command configures MAC address authentication to take precedence over 802.1X authentication when the device receives EAP-Start packets.
The undo authentication order mac dot1x command cancels the configuration.
By default, the sequence of authentication modes triggered by EAP-Start packets is not configured.
Usage Scenario
Some terminals send EAP-Start packets to trigger 802.1X authentication, but do not respond to EAP-Request/Identity packets returned by the device. As a result, traffic is interrupted and the terminals cannot be authenticated. To authenticate these terminals, you can run the authentication order mac dot1x command to enable the device to perform MAC address authentication first after receiving EAP-Start packets. If the terminals fail the MAC address authentication, the device then performs 802.1X authentication.
If a terminal sends multiple EAP-Start packets, the device continues to return EAP-Response/Identity packets even after MAC address authentication using the first EAP-Start packet is successful. However, the terminal no longer responds to the subsequent EAP-Response/Identity packets, causing traffic interruption. To prevent this problem, run the authentication no-replace dot1x command to configure the device not to respond to the EAP-Start packets sent from users who have successfully passed MAC address authentication.
Precautions
This function is supported only for new wired users.
This command controls only the sequence of authentication modes triggered by EAP-Start packets. After this command is run, MAC address authentication or 802.1X authentication will not be automatically enabled.
This command takes precedence over the authentication dot1x-mac-bypass command.