- Table of Contents
-
- 10-Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-MAC authentication configuration
- 04-Portal configuration
- 05-Port security configuration
- 06-Password control configuration
- 07-Public key management
- 08-SSL configuration
- 09-PKI configuration
- 10-IPsec configuration
- 11-SSH configuration
- 12-IP source guard configuration
- 13-ARP attack protection configuration
- 14-uRPF configuration
- 15-FIPS configuration
- 16-Attack detection and prevention configuration
- 17-MACsec configuration
- 18-MFF configuration
- 19-ND attack defense configuration
- 20-Keychain configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
03-MAC authentication configuration | 177.21 KB |
Configuring MAC authentication
General guidelines and restrictions
Specifying a MAC authentication domain
Configuring the user account format
Setting MAC authentication timers
Enabling MAC authentication offline detection
Setting the maximum number of concurrent MAC authentication users on a port
Enabling MAC authentication multi-VLAN mode on a port
Configuring MAC authentication delay
Configuring a MAC authentication guest VLAN
Configuration restrictions and guidelines
Configuring a MAC authentication critical VLAN
Enabling the MAC authentication critical voice VLAN
Configuring the keep-online feature
Including user IP addresses in MAC authentication requests
Enabling parallel processing of MAC authentication and 802.1X authentication
Configuration restrictions and guidelines
Displaying and maintaining MAC authentication
MAC authentication configuration examples
Local MAC authentication configuration example
RADIUS-based MAC authentication configuration example
ACL assignment configuration example
Configuring MAC authentication
Overview
MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port. If the MAC address passes authentication, the user can access authorized network resources. If the authentication fails, the device marks the MAC address as a silent MAC address, drops the packet, and starts a quiet timer. The device drops all subsequent packets from the MAC address within the quiet time. The quiet mechanism avoids repeated authentication during a short time.
|
NOTE: If the MAC address that has failed authentication is a static MAC address or a MAC address that has passed any security authentication, the device does not mark the MAC address as a silent address. |
User account policies
MAC authentication supports the following user account policies:
· One MAC-based user account for each user. The access device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication. This policy is suitable for an insecure environment.
· One shared user account for all users. You specify one username and password, which are not necessarily a MAC address, for all MAC authentication users on the access device. This policy is suitable for a secure environment.
Authentication methods
You can perform MAC authentication on the access device (local authentication) or through a RADIUS server.
Local authentication:
· MAC-based accounts—The access device uses the source MAC address of the packet as the username and password to search the local account database for a match.
· A shared account—The access device uses the shared account username and password to search the local account database for a match.
RADIUS authentication:
· MAC-based accounts—The access device sends the source MAC address of the packet as the username and password to the RADIUS server for authentication.
· A shared account—The access device sends the shared account username and password to the RADIUS server for authentication.
For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA."
VLAN assignment
MAC authentication supports the authorization VLAN, guest VLAN, and critical VLAN.
Authorization VLAN
You can specify the authorization VLAN for a MAC authentication user to control access to authorized network resources.
· On a RADIUS server, the authorization VLAN can be specified in the form of VLAN ID or VLAN name.
· On the local access device, the authorization VLAN must be specified in the form of VLAN ID. You can specify the authorization VLAN in the following views:
¡ Local user view.
¡ User group view.
For more information about local authorization VLAN configuration, see "Configuring AAA."
When the MAC authentication user passes authentication, the authentication server (either the local access device or a RADIUS server) assigns the authorization VLAN to the user.
The port through which the user accesses the device is assigned to the authorization VLAN. A hybrid port is always assigned to a server-assigned authorization VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN.
Table 1 describes the way the network access device handles authorization VLANs for MAC authenticated users.
Port type |
VLAN manipulation |
· Access port · Trunk port · Hybrid port with MAC-based-VLAN disabled |
The device assigns the first authenticated user's authorization VLAN to the port as the PVID. NOTE: For these port types, you must assign the same authorization VLAN to all MAC authentication users on a port. If a different authorization VLAN is assigned to a subsequent user, the user cannot pass MAC authentication. |
Hybrid port with MAC-based VLAN enabled |
The device maps the MAC address of each user to the authorization VLAN. The PVID of the port does not change. When a user logs off, the MAC-to-VLAN mapping for the user is removed. |
Guest VLAN
You can configure a MAC authentication guest VLAN on a port to accommodate users that have failed MAC authentication on the port. Users in the MAC authentication guest VLAN can access a limited set of network resources, such as a software server, to download software and system patches. If no MAC authentication guest VLAN is configured, the users that have failed MAC authentication cannot access any network resources.
A hybrid port is always assigned to a MAC authentication guest VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN.
Table 2 shows the way that the network access device handles guest VLANs for MAC authentication users.
Authentication status |
VLAN manipulation |
A user in the MAC authentication guest VLAN fails MAC authentication for any other reason than server unreachable. |
The user is still in the MAC authentication guest VLAN. |
A user in the MAC authentication guest VLAN passes MAC authentication. |
The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server. If no authorization VLAN is configured for the user on the authentication server, the device remaps the MAC address of the user to the PVID of the port. |
Critical VLAN
You can configure a MAC authentication critical VLAN on a port to accommodate users that fail MAC authentication because no RADIUS authentication server is reachable. Users in a MAC authentication critical VLAN can access only network resources in the critical VLAN.
The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN. For more information about the authentication methods, see "Configuring AAA."
Table 3 shows the way that the network access device handles critical VLANs for MAC authentication users.
Authentication status |
VLAN manipulation |
A user that has not been assigned to any VLAN fails MAC authentication because all the RADIUS servers are unreachable. |
The device maps the MAC address of the user to the MAC authentication critical VLAN. The user is still in the MAC authentication critical VLAN if the user fails MAC reauthentication because all the RADIUS servers are unreachable. |
A user in the MAC authentication critical VLAN fails MAC authentication for any other reason than server unreachable. |
If a guest VLAN has been configured, the device maps the MAC address of the user to the guest VLAN. If no guest VLAN is configured, the device maps the MAC address of the user to the PVID of the port. |
A user in the MAC authentication critical VLAN passes MAC authentication. |
The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server. If no authorization VLAN is configured for the user on the authentication server, the device remaps the MAC address of the user to the PVID of the access port. |
ACL assignment
You can specify an authorization ACL in the user account for a MAC authentication user to control the user's access to network resources. After the user passes MAC authentication, the authentication server (local or remote) assigns the authorization ACL to the access port of the user. The ACL will filter traffic for this user. You must configure ACL rules for the authorization ACL on the access device for the ACL assignment feature.
To change the access control criteria for the user, you can use one of the following methods:
· Modify ACL rules on the access device.
· Specify another authorization ACL on the authentication server.
For more information about ACLs, see ACL and QoS Configuration Guide.
Redirect URL assignment
The device supports the URL attribute assigned by a RADIUS server. During MAC authentication, a user is redirected to the Web interface specified by the server-assigned URL attribute. After the user passes the Web authentication, the RADIUS server records the MAC address of the Web user and uses a DM (Disconnect Message) to log off the Web user. When the user initiates MAC authentication again, it will pass the authentication and come online successfully.
Periodic MAC reauthentication
Periodic MAC reauthentication tracks the connection status of online users, and updates the authorization attributes assigned by the RADIUS server. The attributes include the ACL and VLAN.
The device reauthenticates an online MAC authentication user periodically only after it receives the termination action Radius-request from the authentication server for this user. The Session-Timeout attribute (session timeout period) assigned by the server is the reauthentication interval. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display mac-authentication connection command. Support for the server configuration and assignment of Session-Timeout and Termination-Action attributes depends on the server model.
When no server is reachable for MAC reauthentication, the device keeps the MAC authentication users online or logs off the users, depending on the keep-online feature configuration on the device. For information about the keep-online feature, see "Configuring the keep-online feature."
Configuration prerequisites
Before you configure MAC authentication, complete the following tasks:
1. Configure an ISP domain and specify an AAA method. For more information, see "Configuring AAA."
¡ For local authentication, you must also create local user accounts (including usernames and passwords), and specify the lan-access service for local users.
¡ For RADIUS authentication, make sure the device and the RADIUS server can reach each other, and create user accounts on the RADIUS server. If you are using MAC-based accounts, make sure the username and password for each account are the same as the MAC address of each MAC authentication user.
2. Make sure the port security feature is disabled. For more information about port security, see "Configuring port security."
General guidelines and restrictions
When you configure MAC authentication, follow these guidelines and restrictions:
· MAC authentication is exclusive with link aggregation group or service loopback group.
¡ You cannot enable MAC authentication on a port already in a link aggregation group or a service loopback group.
¡ You cannot add a MAC authentication-enabled port to a link aggregation group or a service loopback group.
· Do not configure MAC authentication and EVB on the same port. For information about EVB, see EVB Configuration Guide.
Configuration task list
Tasks at a glance |
(Required.) Enabling MAC authentication |
(Optional.) Specifying a MAC authentication domain |
(Optional.) Configuring the user account format |
(Optional.) Setting MAC authentication timers |
(Optional.) Enabling MAC authentication offline detection |
(Optional.) Setting the maximum number of concurrent MAC authentication users on a port |
(Optional.) Enabling MAC authentication multi-VLAN mode on a port |
(Optional.) Configuring MAC authentication delay |
(Optional.) Configuring a MAC authentication guest VLAN |
(Optional.) Configuring a MAC authentication critical VLAN |
(Optional.) Enabling the MAC authentication critical voice VLAN |
(Optional.) Configuring the keep-online feature |
(Optional.) Including user IP addresses in MAC authentication requests |
(Optional.) Enabling parallel processing of MAC authentication and 802.1X authentication |
Enabling MAC authentication
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
1. Enable MAC authentication globally. |
mac-authentication |
By default, MAC authentication is disabled globally. |
2. Enter Layer 2 Ethernet interface view. |
interface interface-type interface-number |
N/A |
3. Enable MAC authentication on the port. |
mac-authentication |
By default, MAC authentication is disabled on a port. |
Specifying a MAC authentication domain
By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can use one of the following methods to specify authentication domains for MAC authentication users:
· Specify a global authentication domain in system view. This domain setting applies to all ports enabled with MAC authentication.
· Specify an authentication domain for an individual port in Layer 2 Ethernet interface view.
MAC authentication chooses an authentication domain for users on a port in this order: the port-specific domain, the global domain, and the default domain. For more information about authentication domains, see "Configuring AAA."
To specify an authentication domain for MAC authentication users:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Specify an authentication domain for MAC authentication users. |
· In system view: · In Layer 2 Ethernet interface view: a. interface interface-type interface-number b. mac-authentication domain domain-name |
By default, the system default authentication domain is used for MAC authentication users. |
Configuring the user account format
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Configure the MAC authentication user account format. |
· Use one MAC-based user account for each user: · Use one shared user account for all
users: |
By default, the device uses the MAC address of a user as the username and password for MAC authentication. The MAC address is in the hexadecimal notation without hyphens, and letters are in lower case. |
Setting MAC authentication timers
MAC authentication uses the following timers:
· Offline detect timer—Sets the interval that the device waits for traffic from a user before the device regards the user idle. Whether the device logs the user out and requests to stop accounting for the user after the timer expires depending on the status of the offline detection feature.
· Quiet timer—Sets the interval that the device must wait before the device can perform MAC authentication for a user who has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.
· Server timeout timer—Sets the interval that the device waits for a response from a RADIUS server before the device regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network.
To set MAC authentication timers:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Set MAC authentication timers. |
mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value } |
By default, the offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100 seconds. |
Enabling MAC authentication offline detection
This feature logs a user out of the device if the device does not receive any packets from the user within the offline detect timer. The device also requests to stop accounting for the user at the same time. For more information about the offline detect timer, see "Setting MAC authentication timers."
Disabling this feature disables the device from inspecting the online user status.
To enable MAC authentication offline detection:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter Layer 2 Ethernet interface view. |
interface interface-type interface-number |
N/A |
3. Enable MAC authentication offline detection. |
mac-authentication offline-detect enable |
By default, MAC authentication offline detection is enabled. |
Setting the maximum number of concurrent MAC authentication users on a port
Perform this task to prevent the system resources from being overused.
To set the maximum number of concurrent MAC authentication users on a port:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter Layer 2 Ethernet interface view. |
interface interface-type interface-number |
N/A |
3. Set the maximum number of concurrent MAC authentication users on the port |
mac-authentication max-user user-number |
The default setting is 4294967295. |
Enabling MAC authentication multi-VLAN mode on a port
The MAC authentication multi-VLAN mode prevents an authenticated online user from service interruption caused by VLAN changes on a port. When the port receives a packet sourced from the user in a VLAN not matching the existing MAC-VLAN mapping, the device neither logs off the user nor reauthenticates the user. The device creates a new MAC-VLAN mapping for the user, and traffic transmission is not interrupted. The original MAC-VLAN mapping for the user remains on the device until it dynamically ages out. As a best practice, configure this feature on hybrid or trunk ports.
This feature improves transmission of data that is vulnerable to delay and interference. It is typically applicable to IP phone users.
To enable MAC authentication multi-VLAN mode on a port:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter Layer 2 Ethernet interface view. |
interface interface-type interface-number |
N/A |
3. Enable MAC authentication multi-VLAN mode. |
mac-authentication host-mode multi-vlan |
By default, this feature is disabled on a port. When the port receives a packet sourced from an authenticated user in a VLAN not matching the existing MAC-VLAN mapping, the device logs off and reauthenticates the user. |
Configuring MAC authentication delay
When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered.
If no 802.1X authentication is triggered or 802.1X authentication fails within the delay period, the port continues to process MAC authentication.
Do not set the port security mode to mac-else-userlogin-secure or mac-else-userlogin-secure-ext when you use MAC authentication delay. The delay does not take effect on a port in either of the two modes. For more information about port security modes, see "Configuring port security."
To configure MAC authentication delay:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter Layer 2 Ethernet interface view. |
interface interface-type interface-number |
N/A |
3. Enable MAC authentication delay and set the delay timer. |
mac-authentication timer auth-delay time |
By default, MAC authentication delay is disabled. |
Configuring a MAC authentication guest VLAN
Configuration prerequisites
You must configure the MAC authentication guest VLAN on a hybrid port. Before you configure the MAC authentication guest VLAN on a hybrid port, complete the following tasks:
· Enable MAC authentication globally and on the port.
· Enable MAC-based VLAN on the port.
· Create the VLAN to be specified as the MAC authentication guest VLAN.
· Configure the VLAN as an untagged member on the port.
Configuration restrictions and guidelines
When you configure the MAC authentication guest VLAN on a port, follow these restrictions and guidelines:
· The following table shows the relationships of the MAC authentication guest VLAN with other security features:
Feature |
Relationship description |
Reference |
Quiet feature of MAC authentication |
The MAC authentication guest VLAN feature has higher priority. When a user fails MAC authentication, the user can access the resources in the guest VLAN. The user's MAC address is not marked as a silent MAC address. |
|
Super VLAN |
You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN. |
See Layer 2—LAN Switching Configuration Guide. |
Port intrusion protection |
The guest VLAN feature has higher priority than the block MAC action but lower priority than the shutdown port action of the port intrusion protection feature. |
See "Configuring port security." |
802.1X guest VLAN on a port that performs MAC-based access control |
The MAC authentication guest VLAN does not take effect. A user who fails MAC authentication is not assigned to the MAC authentication guest VLAN. |
See "Configuring 802.1X." |
Including user IP addresses in the authentication requests |
If the feature is configured, users in the MAC authentication guest VLAN cannot perform a new round of authentication. |
See "Including user IP addresses in MAC authentication requests." |
· The following matrix shows the location restrictions for the interface configured with MAC authentication guest VLAN and the interface connected to the external network on an IRF 3 system:
Location of the interface configured with MAC authentication guest VLAN |
Location restrictions of the interface connected to the external network |
A PEX |
The interface cannot be on the parent fabric or on other PEXs. |
The parent fabric |
The interface cannot be on PEXs. |
For more information about IRF 3, see Virtual Technologies Configuration Guide.
Configuration procedure
To configure the MAC authentication guest VLAN on a port:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter Layer 2 Ethernet interface view. |
interface interface-type interface-number |
N/A |
3. Specify the MAC authentication guest VLAN on the port. |
mac-authentication guest-vlan guest-vlan-id |
By default, no MAC authentication guest VLAN is configured. You can configure only one MAC authentication guest VLAN on a port. |
4. (Optional.) Set the authentication interval for users in the MAC authentication guest VLAN. |
mac-authentication guest-vlan auth-period period-value |
The default setting is 30 seconds. |
Configuring a MAC authentication critical VLAN
You must configure the MAC authentication critical VLAN on a hybrid port. Before you configure the MAC authentication critical VLAN on a hybrid port, complete the following tasks:
· Enable MAC authentication globally and on the port.
· Enable MAC-based VLAN on the port.
· Create the VLAN to be specified as the MAC authentication critical VLAN.
· Configure the VLAN as an untagged member on the port.
When you configure the MAC authentication critical VLAN on a port, follow the guidelines in Table 4.
Table 4 Relationships of the MAC authentication critical VLAN with other security features
Feature |
Relationship description |
Reference |
Quiet feature of MAC authentication |
The MAC authentication critical VLAN feature has higher priority. When a user fails MAC authentication because no RADIUS authentication server is reachable, the user can access the resources in the critical VLAN. The user's MAC address is not marked as a silent MAC address. |
|
Super VLAN |
You cannot specify a VLAN as both a super VLAN and a MAC authentication critical VLAN. |
See Layer 2—LAN Switching Configuration Guide. |
Port intrusion protection |
The critical VLAN feature has higher priority than the block MAC action but lower priority than the shutdown port action of the port intrusion protection feature. |
See "Configuring port security." |
To configure the MAC authentication critical VLAN on a port:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter Layer 2 Ethernet interface view. |
interface interface-type interface-number |
N/A |
3. Specify the MAC authentication critical VLAN on the port. |
mac-authentication critical vlan critical-vlan-id |
By default, no MAC authentication critical VLAN is configured. You can configure only one MAC authentication critical VLAN on a port. |
Enabling the MAC authentication critical voice VLAN
The MAC authentication critical voice VLAN on a port accommodates MAC authentication voice users who have failed authentication because none of the RADIUS servers in their ISP domain are reachable.
Configuration prerequisites
Before you enable the MAC authentication critical voice VLAN on a port, complete the following tasks:
· Enable LLDP both globally and on the port.
The device uses LLDP to identify voice users. For information about LLDP, see Layer 2—LAN Switching Configuration Guide.
· Enable voice VLAN on the port.
Configuration procedure
To enable the MAC authentication critical voice VLAN feature on a port:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter Layer 2 Ethernet interface view. |
interface interface-type interface-number |
N/A |
3. Enable the MAC authentication critical voice VLAN feature on a port. |
mac-authentication critical-voice vlan |
By default, the MAC authentication critical voice VLAN feature is disabled on the port. |
Configuring the keep-online feature
By default, the device logs off online MAC authentication users if no server is reachable for MAC reauthentication. The keep-online feature keeps authenticated MAC authentication users online when no server is reachable for MAC reauthentication.
In a fast-recovery network, you can use the keep-online feature to prevent MAC authentication users from coming online and going offline frequently.
To configure the keep-online feature:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter Layer 2 Ethernet interface view. |
interface interface-type interface-number |
N/A |
3. Enable the keep-online feature for authenticated MAC authentication users on the port. |
mac-authentication re-authenticate server-unreachable keep-online |
By default, the keep-online feature is disabled. This command takes effect only when the authentication server assigns reauthentication attributes to the device. |
Including user IP addresses in MAC authentication requests
This feature enables the device to add user IP addresses to the MAC authentication requests that are sent to an IMC server. The IMC server compares the user IP and MAC addresses in a request with its local IP-MAC mapping of the user. If a match is found, the IMC server verifies the user valid. If no match is found, the user fails the MAC authentication. For information about IMC user IP-MAC bindings, see H3C IMC User Access Manager Administrator Guide.
When you configure this feature, follow these guidelines and restrictions:
· This feature takes effect only on MAC authentication users who use static IP addresses. It prevents those users from modifying their IP addresses to access the network. Users who obtain IP addresses through DHCP are not affected.
· Do not configure this feature together with the MAC authentication guest VLAN on a port. If both features are configured, users in the MAC authentication guest VLAN cannot perform a new round of authentication.
To include user IP addresses in MAC authentication requests:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter Layer 2 Ethernet interface view. |
interface interface-type interface-number |
N/A |
3. Include user IP addresses in MAC authentication requests. |
mac-authentication carry user-ip |
By default, a MAC authentication request does not include the user IP address. |
Enabling parallel processing of MAC authentication and 802.1X authentication
This feature enables a port that processes MAC authentication after 802.1X authentication is finished to process MAC authentication in parallel with 802.1X authentication.
When the port receives a packet from an unknown MAC address, it sends a unicast EAP-Request/Identity packet to the MAC address. After that, the port immediately processes MAC authentication without waiting for the 802.1X authentication result.
After MAC authentication succeeds, the port is assigned to the MAC authentication authorization VLAN.
· If 802.1X authentication fails, the MAC authentication result takes effect.
· If 802.1X authentication succeeds, the device handles the port and the MAC address based on the 802.1X authentication result.
Configuration restrictions and guidelines
When you enable parallel processing of MAC authentication and 802.1X authentication on a port, follow these restrictions and guidelines:
· Make sure the port meets the following requirements:
¡ The port is configured with both 802.1X authentication and MAC authentication and performs MAC-based access control for 802.1X authentication.
¡ The port is enabled with the 802.1X unicast trigger.
· For the port to perform MAC authentication before it is assigned to the 802.1X guest VLAN, delay assigning the port to the 802.1X guest VLAN.
For information about 802.1X guest VLAN assignment delay, see "Configuring 802.1X."
· For the parallel processing feature to work correctly, do not enable MAC authentication delay on the port. This operation will delay MAC authentication after 802.1X authentication is triggered.
· To configure both 802.1X authentication and MAC authentication on the port, use one of the following methods:
¡ Enable the 802.1X and MAC authentication features separately on the port.
¡ Enable port security on the port. The port security mode must be userlogin-secure-or-mac or userlogin-secure-or-mac-ext.
For information about port security mode configuration, see "Configuring port security."
Configuration procedure
To enable parallel processing of MAC authentication and 802.1X authentication on a port:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enter Layer 2 Ethernet interface view. |
interface interface-type interface-number |
N/A |
3. Enable parallel processing of MAC authentication and 802.1X authentication on the port. |
mac-authentication parallel-with-dot1x |
By default, this feature is disabled. |
Displaying and maintaining MAC authentication
Execute display commands in any view and reset commands in user view.
Task |
Command |
Display MAC authentication information. |
display mac-authentication [ interface interface-type interface-number ] |
Display MAC authentication connections. |
display mac-authentication connection [ interface interface-type interface-number | slot slot-number | user-mac mac-addr | user-name user-name ] |
Clear MAC authentication statistics. |
reset mac-authentication statistics [ interface interface-type interface-number ] |
Remove users from the MAC authentication critical VLAN on a port. |
reset mac-authentication critical-vlan interface interface-type interface-number [ mac-address mac-address ] |
Remove users from the MAC authentication critical voice VLAN on a port. |
reset mac-authentication critical-voice-vlan interface interface-type interface-number [ mac-address mac-address ] |
Remove users from the MAC authentication guest VLAN on a port. |
reset mac-authentication guest-vlan interface interface-type interface-number [ mac-address mac-address ] |
MAC authentication configuration examples
Local MAC authentication configuration example
Network requirements
As shown in Figure 1, the device performs local MAC authentication on Ten-GigabitEthernet 1/1/1 to control Internet access of users.
Configure the device to meet the following requirements:
· Detect whether a user has gone offline every 180 seconds.
· Deny a user for 180 seconds if the user fails MAC authentication.
· Authenticate all users in the ISP domain bbb.
· Use the MAC address of each user as the username and password for authentication. A MAC address is in the hexadecimal notation with hyphens, and letters are in lower case.
Configuration procedure
# Add a network access local user. In this example, configure both the username and password as Host A's MAC address 00-e0-fc-12-34-56.
<Device> system-view
[Device] local-user 00-e0-fc-12-34-56 class network
[Device-luser-network-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56
# Specify the LAN access service for the user.
[Device-luser-network-00-e0-fc-12-34-56] service-type lan-access
[Device-luser-network-00-e0-fc-12-34-56] quit
# Configure ISP domain bbb to perform local authentication for LAN users.
[Device] domain bbb
[Device-isp-bbb] authentication lan-access local
[Device-isp-bbb] quit
# Enable MAC authentication on Ten-GigabitEthernet 1/1/1.
[Device] interface ten-gigabitethernet 1/1/1
[Device-Ten-GigabitEthernet1/1/1] mac-authentication
[Device-Ten-GigabitEthernet1/1/1] quit
# Specify the MAC authentication domain as the ISP domain bbb.
[Device] mac-authentication domain bbb
# Configure MAC authentication timers.
[Device] mac-authentication timer offline-detect 180
[Device] mac-authentication timer quiet 180
# Configure MAC authentication to use MAC-based accounts. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication globally.
[Device] mac-authentication
Verifying the configuration
# Display MAC authentication settings and statistics to verify your configuration.
[Device] display mac-authentication
Global MAC authentication parameters:
MAC authentication : Enabled
User name format : MAC address in lowercase(xx-xx-xx-xx-xx-xx)
Username : mac
Password : Not configured
Offline detect period : 180 s
Quiet period : 180 s
Server timeout : 100 s
Authentication domain : bbb
Max MAC-auth users : 4294967295 per slot
Online MAC-auth users : 1
Silent MAC users:
MAC address VLAN ID From port Port index
00e0-fc11-1111 8 Ten-GigabitEthernet1/1/1 1
Ten-GigabitEthernet1/1/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : Not configured
Guest VLAN auth-period : 30 s
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Single VLAN
Offline detection : Enabled
Authentication order : Default
Max online users : 4294967295
Authentication attempts : successful 1, failed 0
Current online users : 1
MAC address Auth state
00e0-fc12-3456 Authenticated
The output shows that Host A has passed MAC authentication and has come online. Host B failed MAC authentication and its MAC address is marked as a silent MAC address.
RADIUS-based MAC authentication configuration example
Network requirements
As shown in Figure 2, the device uses RADIUS servers to perform authentication, authorization, and accounting for users.
To control user access to the Internet by MAC authentication, perform the following tasks:
· Enable MAC authentication globally and on Ten-GigabitEthernet 1/1/1.
· Configure the device to detect whether a user has gone offline every 180 seconds.
· Configure the device to deny a user for 180 seconds if the user fails MAC authentication.
· Configure all users to belong to the ISP domain bbb.
· Use a shared user account for all users, with the username aaa and password 123456.
Configuration procedure
1. Make sure the RADIUS server and the access device can reach each other. (Details not shown.)
2. Configure the RADIUS servers:
# Create a shared account for MAC authentication users. (Details not shown.)
# Set the username aaa and password 123456 for the account. (Details not shown.)
3. Configure RADIUS-based MAC authentication on the device:
# Configure a RADIUS scheme.
<Device> system-view
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication simple abc
[Device-radius-2000] key accounting simple abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Apply the RADIUS scheme to ISP domain bbb for authentication, authorization, and accounting.
[Device] domain bbb
[Device-isp-bbb] authentication default radius-scheme 2000
[Device-isp-bbb] authorization default radius-scheme 2000
[Device-isp-bbb] accounting default radius-scheme 2000
[Device-isp-bbb] quit
# Enable MAC authentication on Ten-GigabitEthernet 1/1/1.
[Device] interface ten-gigabitethernet 1/1/1
[Device-Ten-GigabitEthernet1/1/1] mac-authentication
[Device-Ten-GigabitEthernet1/1/1] quit
# Specify the MAC authentication domain as the ISP domain bbb.
[Device] mac-authentication domain bbb
# Set MAC authentication timers.
[Device] mac-authentication timer offline-detect 180
[Device] mac-authentication timer quiet 180
# Specify username aaa and password 123456 in plain text for the account shared by MAC authentication users.
[Device] mac-authentication user-name-format fixed account aaa password simple 123456
# Enable MAC authentication globally.
[Device] mac-authentication
Verifying the configuration
# Verify the MAC authentication configuration.
[Device] display mac-authentication
Global MAC authentication parameters:
MAC authentication : Enabled
User name format : Fixed account
Username : aaa
Password : ******
Offline detect period : 180 s
Quiet period : 180 s
Server timeout : 100 s
Authentication domain : bbb
Max MAC-auth users : 4294967295 per slot
Online MAC-auth users : 1
Silent MAC users:
MAC address VLAN ID From port Port index
Ten-GigabitEthernet1/1/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : Not configured
Guest VLAN auth-period : 30 s
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Single VLAN
Offline detection : Enabled
Authentication order : Default
Max online users : 4294967295
Authentication attempts : successful 1, failed 0
Current online users : 0
MAC address Auth state
00e0-fc12-3456 Authenticated
ACL assignment configuration example
Network requirements
As shown in Figure 3, configure the device to meet the following requirements:
· Use RADIUS servers to perform authentication, authorization, and accounting for users.
· Perform MAC authentication on Ten-GigabitEthernet 1/1/1 to control Internet access.
· Use MAC-based user accounts for MAC authentication users. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case.
· Use an ACL to deny authenticated users to access the FTP server at 10.0.0.1.
Configuration procedure
Make sure the RADIUS servers and the access device can reach each other.
1. Configure ACL 3000 to deny packets destined for 10.0.0.1.
<Device> system-view
[Device] acl number 3000
[Device-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0
[Device-acl-adv-3000] quit
2. Configure RADIUS-based MAC authentication on the device:
# Configure a RADIUS scheme.
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication simple abc
[Device-radius-2000] key accounting simple abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting.
[Device] domain bbb
[Device-isp-bbb] authentication default radius-scheme 2000
[Device-isp-bbb] authorization default radius-scheme 2000
[Device-isp-bbb] accounting default radius-scheme 2000
[Device-isp-bbb] quit
# Specify the ISP domain for MAC authentication.
[Device] mac-authentication domain bbb
# Configure the device to use MAC-based user accounts. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication on port Ten-GigabitEthernet 1/1/1.
[Device] interface ten-gigabitethernet 1/1/1
[Device-Ten-GigabitEthernet1/1/1] mac-authentication
[Device-Ten-GigabitEthernet1/1/1] quit
# Enable MAC authentication globally.
[Device] mac-authentication
3. Configure the RADIUS servers:
# Add a user account with 00-e0-fc-12-34-56 as both the username and password on each RADIUS server. (Details not shown.)
# Specify ACL 3000 as the authorization ACL for the user account. (Details not shown.)
Verifying the configuration
# Verify the MAC authentication configuration.
[Device] display mac-authentication
Global MAC authentication parameters:
MAC authentication : Enabled
User name format : MAC address in lowercase(xx-xx-xx-xx-xx-xx)
Username : mac
Password : Not configured
Offline detect period : 300 s
Quiet period : 60 s
Server timeout : 100 s
Authentication domain : bbb
Max MAC-auth users : 4294967295 per slot
Online MAC-auth users : 1
Silent MAC users:
MAC address VLAN ID From port Port index
Ten-GigabitEthernet1/1/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : Not configured
Guest VLAN auth-period : 30 s
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Single VLAN
Offline detection : Enabled
Authentication order : Default
Max online users : 4294967295
Authentication attempts : successful 1, failed 0
Current online users : 1
MAC address Auth state
00e0-fc12-3456 Authenticated
# Verify that you cannot ping the FTP server from the host.
C:\>ping 10.0.0.1
Pinging 10.0.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.0.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The output shows that ACL 3000 has been assigned to Ten-GigabitEthernet 1/1/1 to deny access to the FTP server.