Login
- Table of Contents
-
- 06-Security Configuration Guide
- 00-Preface
- 01-AAA Configuration
- 02-802.1X Configuration
- 03-MAC Authentication Configuration
- 04-Triple Authentication Configuration
- 05-Port Security Configuration
- 06-User Profile Configuration
- 07-HABP Configuration
- 08-Public Key Configuration
- 09-PKI Configuration
- 10-SSH2.0 Configuration
- 11-SSL Configuration
- 12-TCP Attack Protection Configuration
- 13-IP Source Guard Configuration
- 14-ARP Attack Protection Configuration
- 15-ND Attack Defense Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-MAC Authentication Configuration | 151.08 KB |
Contents
MAC authentication configuration
Using MAC authentication with other features
MAC authentication configuration task list
Basic configuration for MAC authentication
Specifying an authentication domain for MAC authentication users
Configuring a MAC authentication guest VLAN
Displaying and maintaining MAC authentication
MAC authentication configuration examples
Local MAC authentication configuration example
RADIUS-based MAC authentication configuration example
ACL assignment configuration example
This chapter includes these sections:
· Using MAC authentication with other features
· Basic configuration for MAC authentication
· Specifying an authentication domain for MAC authentication users
· Configuring a MAC authentication guest VLAN
· Displaying and maintaining MAC authentication
· MAC authentication configuration examples
|
|
NOTE: · The term "switch" or "device" in this chapter refers to the switching engine on a WX3000E wireless switch. · The WX3000E series comprises WX3024E and WX3010E wireless switches. · The port numbers in this chapter are for illustration only. |
MAC authentication overview
MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to input a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port. If the MAC address passes authentication, the user can access authorized network resources. If the authentication fails, the device marks the MAC address as a silent MAC address, drops the packet, and starts a quiet timer. The device drops all subsequent packets from the MAC address within the quiet time. This quiet mechanism avoids repeated authentication during a short time.
|
|
NOTE: If the MAC address that has failed authentication is a static MAC address or a MAC address that has passed any security authentication, the device does not mark it as a silent address. |
User account policies
MAC authentication supports the following user account policies:
· One MAC-based user account for each user. The access device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication. This policy is suitable for an insure environment.
· One shared user account for all users. You specify one username and password, which are not necessarily a MAC address, for all MAC authentication users on the access device. This policy is suitable for a secure environment.
Authentication approaches
You can perform MAC authentication on the access device (local authentication) or through a Remote Authentication Dial-In User Service (RADIUS) server.
Suppose a source MAC unknown packet arrives at a MAC authentication enabled port.
In the local authentication approach:
· If MAC-based accounts are used, the access device uses the source MAC address of the packet as the username and password to search its local account database for a match.
· If a shared account is used, the access device uses the shared account username and password to search its local account database for a match.
In the RADIUS authentication approach:
· If MAC-based accounts are used, the access device sends the source MAC address as the username and password to the RADIUS server for authentication.
· If a shared account is used, the access device sends the shared account username and password to the RADIUS server for authentication.
For more information about configuring local authentication and RADIUS authentication, see the chapter “AAA configuration.”
MAC authentication timers
MAC authentication uses the following timers:
· Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user.
· Quiet timer—Sets the interval that the device must wait before it can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.
· Server timeout timer—Sets the interval that the access device waits for a response from a RADIUS server before it regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network.
Using MAC authentication with other features
VLAN assignment
You can specify a VLAN in the user account for a MAC authentication user to control its access to network resources. After the user passes MAC authentication, the authentication server, either the local access device or a RADIUS server, assigns the VLAN to the port as the default VLAN. After the user logs off, the initial default VLAN, or the default VLAN configured before any VLAN is assigned by the authentication server, restores. If the authentication server assigns no VLAN, the initial default VLAN applies.
|
|
NOTE: · A hybrid port is always assigned to a server-assigned VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN. · If MAC-based VLAN is enabled on a hybrid port, the device maps the server-assigned VLAN to the MAC address of the user. The default VLAN of the hybrid port does not change. |
ACL assignment
You can specify an ACL in the user account for a MAC authentication user to control its access to network resources. After the user passes MAC authentication, the authentication server, either the local access device or a RADIUS server, assigns the ACL to the access port to filter the traffic from this user. You must configure the ACL on the access device for the ACL assignment function. You can change ACL rules while the user is online.
Guest VLAN
You can configure a guest VLAN to accommodate MAC authentication users that have failed MAC authentication on the port. Users in the MAC authentication guest VLAN can access a limited set of network resources, such as a software server, to download anti-virus software and system patches. If no MAC authentication guest VLAN is configured, the user that fails MAC authentication cannot access any network resources.
If a user in the guest VLAN passes MAC authentication, it is removed from the guest VLAN and can access all authorized network resources. If not, the user is still in the MAC authentication guest VLAN.
|
|
NOTE: A hybrid port is always assigned to a guest VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN. |
MAC authentication configuration task list
Perform these tasks to configure MAC authentication:
|
Task |
Remarks |
|
|
Required |
||
|
Required |
||
|
Specifying an authentication domain for MAC authentication users |
Optional |
|
|
Optional |
||
Basic configuration for MAC authentication
Configuration prerequisites
· Create and configure an authentication domain, also called "an ISP domain."
· For local authentication, create local user accounts, and specify the lan-access service for the accounts.
· For RADIUS authentication, check that the device and the RADIUS server can reach each other, and create user accounts on the RADIUS server.
|
|
NOTE: If you are using MAC-based accounts, ensure that the username and password for each account is the same as the MAC address of the MAC authentication users. |
Configuration procedure
MAC authentication can take effect on a port only when it is enabled globally and on the port.
Configuring MAC authentication globally
Follow these steps to configure MAC authentication globally:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable MAC authentication globally |
mac-authentication |
Required Disabled by default. |
|
Configure MAC authentication timers |
mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value } |
Optional By default, the offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100 seconds. |
|
Configure the properties of MAC authentication user accounts |
mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] } |
Optional By default, the username and password for a MAC authentication user account must be a MAC address in lower case without hyphens. |
Configuring MAC authentication on a port
Follow these steps to configure MAC authentication on a port:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Enable MAC authentication |
In system view |
mac-authentication interface interface-list |
Required Disabled by default. Enable MAC authentication for ports in bulk in system view or an individual port in interface view. |
|
In interface view |
interface interface-type interface-number |
||
|
mac-authentication |
|||
|
Set the maximum number of concurrent MAC authentication users allowed on a port |
mac-authentication max-user user-number |
Optional The default setting is 256 |
|
|
|
NOTE: You cannot add a MAC authentication enabled port in to a link aggregation group, or enable MAC authentication on a port already in a link aggregation group. |
Specifying an authentication domain for MAC authentication users
By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can specify authentication domains for MAC authentication users in the following ways:
· Specify a global authentication domain in system view. This domain setting applies to all ports.
· Specify an authentication domain for an individual port in interface view.
MAC authentication chooses an authentication domain for users on a port in this order: the port-specific domain, the global domain, and the default domain. For more information about authentication domains, see the chapter “AAA configuration.”
Follow these steps to specify an authentication domain for MAC authentication users:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Specify an authentication domain for MAC authentication users |
mac-authentication domain domain-name |
Required Use either approach. By default, the system default authentication domain is used for MAC authentication users. |
|
interface interface-type interface-number mac-authentication domain domain-name |
Configuring a MAC authentication guest VLAN
Configuration prerequisites
Before you configure a MAC authentication guest VLAN on a port, complete the following tasks:
· Enable MAC authentication.
· Enable MAC-based VLAN on the port.
· Create the VLAN to be specified as the MAC authentication guest VLAN.
Configuration procedure
Follow these steps to configure a MAC authentication guest VLAN:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Specify a MAC authentication guest VLAN |
mac-authentication guest-vlan guest-vlan-id |
Required By default, no MAC authentication guest VLAN is configured. You can configure only one MAC authentication guest VLAN on a port. |
Follow the guidelines in Table 1 when configuring a MAC authentication guest VLAN on a port.
Table 1 Relationships of the MAC authentication guest VLAN with other security features
|
Feature |
Relationship description |
Reference |
|
Quiet function of MAC authentication |
The MAC authentication guest VLAN function has higher priority. A user can access any resources in the guest VLAN. |
MAC authentication configuration in the Security Configuration Guide |
|
Port intrusion protection |
The MAC authentication guest VLAN function has higher priority than the block MAC action but lower priority than the shut down port action of the port intrusion protection feature. |
Port security configuration in the Security Configuration Guide |
|
802.1X guest VLAN on a port that performs MAC-based access control |
The MAC authentication guest VLAN has a lower priority. |
802.1X configuration in the Security Configuration Guide |
|
Free IP of EAD fast deployment |
The MAC authentication guest VLAN is mutually exclusive with free IP configuration. |
EAD fast deployment configuration in the Security Configuration Guide |
Displaying and maintaining MAC authentication
|
To do… |
Use the command… |
Remarks |
|
Display MAC authentication information |
display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Clear MAC authentication statistics |
reset mac-authentication statistics [ interface interface-list ] |
Available in user view |
MAC authentication configuration examples
Local MAC authentication configuration example
Network requirements
In the network in Figure 1, perform local MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Ensure that:
· All users belong to domain aabbcc.net.
· Local users use their MAC address as the username and password for MAC authentication. The MAC addresses are hyphen separated and in lower case.
· The access device detects whether a user has gone offline every 180 seconds. When a user fails authentication, the device does not authenticate the user within 180 seconds.
Figure 1 Local MAC authentication
Configuration procedure
1. Configure local MAC authentication
# Add a local user account, set both the username and password to 00-e0-fc-12-34-56, the MAC address of the user host, and enable LAN access service for the account.
<Device> system-view
[Device] local-user 00-e0-fc-12-34-56
[Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56
[Device-luser-00-e0-fc-12-34-56] service-type lan-access
[Device-luser-00-e0-fc-12-34-56] quit
# Configure ISP domain aabbcc.net to perform local authentication for LAN access users.
[Device] domain aabbcc.net
[Device-isp-aabbcc.net] authentication lan-access local
[Device-isp-aabbcc.net] quit
# Enable MAC authentication globally.
[Device] mac-authentication
# Enable MAC authentication on port GigabitEthernet 1/0/1.
[Device] mac-authentication interface gigabitethernet 1/0/1
# Specify the ISP domain for MAC authentication.
[Device] mac-authentication domain aabbcc.net
# Set the MAC authentication timers.
[Device] mac-authentication timer offline-detect 180
[Device] mac-authentication timer quiet 180
# Configure MAC authentication to use MAC-based accounts. The MAC address usernames and passwords are hyphenated and in lowercase.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
2. Verify the configuration
# Display MAC authentication settings and statistics.
<Device> display mac-authentication
MAC address authentication is enabled.
User name format is MAC address in lowercase, like xx-xx-xx-xx-xx-xx
Fixed username:mac
Fixed password:not configured
Offline detect period is 180s
Quiet period is 180s.
Server response timeout value is 100s
The max allowed user number is 1024 per slot
Current user number amounts to 1
Current domain is aabbcc.net
Silent Mac User info:
MAC Addr From Port Port Index
Gigabitethernet1/0/1 is link-up
MAC address authentication is enabled
Authenticate success: 1, failed: 0
Max number of on-line users is 256
Current online user number is 1
MAC Addr Authenticate state Auth Index
00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS 29
# After the user passes authentication, use the display connection command to display the online user information.
<Device> display connection
Index=29 ,Username=00-e0-fc-12-34-56@aabbcc.net
MAC=00e0-fc12-3456
IP=N/A
IPv6=N/A
Total 1 connection(s) matched.
RADIUS-based MAC authentication configuration example
Network requirements
As shown in Figure 2, a host connects to port GigabitEthernet 1/0/1 on the access device. The device uses RADIUS servers for authentication, authorization, and accounting.
Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Ensure that:
· The device detects whether a user has gone offline every 180 seconds. If a user fails authentication, the device does not authenticate the user within 180 seconds.
· All MAC authentication users belong to ISP domain 2000 and share the user account aaa with password 123456.
Figure 2 RADIUS-based MAC authentication
Configuration procedure
|
|
NOTE: Ensure that the RADIUS server and the access device can reach each other. Create a shared account for MAC authentication users on the RADIUS server, and set the username aaa and password 123456 for the account. |
1. Configure RADIUS-based MAC authentication on the device
# Configure a RADIUS scheme.
<Device> system-view
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication abc
[Device-radius-2000] key accounting abc
[Device-radius-2000] user-name-format without-domain
[Device-radius-2000] quit
# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting.
[Device] domain 2000
[Device-isp-2000] authentication default radius-scheme 2000
[Device-isp-2000] authorization default radius-scheme 2000
[Device-isp-2000] accounting default radius-scheme 2000
[Device-isp-2000] quit
# Enable MAC authentication globally.
[Device] mac-authentication
# Enable MAC authentication on port GigabitEthernet 1/0/1.
[Device] mac-authentication interface gigabitethernet 1/0/1
# Specify the ISP domain for MAC authentication.
[Device] mac-authentication domain 2000
# Set the MAC authentication timers.
[Device] mac-authentication timer offline-detect 180
[Device] mac-authentication timer quiet 180
# Specify username aaa and password 123456 for the account shared by MAC authentication users.
[Device] mac-authentication user-name-format fixed account aaa password simple 123456
2. Verify the configuration
# Display MAC authentication settings and statistics.
<Device> display mac-authentication
MAC address authentication is enabled.
User name format is fixed account
Fixed username:aaa
Fixed password:123456
Offline detect period is 180s
Quiet period is 180s.
Server response timeout value is 100s
The max allowed user number is 1024 per slot
Current user number amounts to 1
Current domain is 2000
Silent Mac User info:
MAC ADDR From Port Port Index
Gigabitethernet1/0/1 is link-up
MAC address authentication is enabled
Authenticate success: 1, failed: 0
Max number of on-line users is 256
Current online user number is 1
MAC ADDR Authenticate state Auth Index
00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS 29
# After a user passes MAC authentication, use the display connection command to display online user information.
<Device> display connection
Index=29 ,Username=aaa@2000
MAC=00e0-fc12-3456
IP=N/A
IPv6=N/A
Total 1 connection(s) matched.
ACL assignment configuration example
Network requirements
As shown in Figure 3, a host connects to port GigabitEthernet 1/0/1 on an access device and the device uses RADIUS servers to perform authentication, authorization, and accounting.
Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Ensure that an authenticated user can access the Internet but the FTP server at 10.0.0.1.
Use MAC-based user accounts for MAC authentication users. The MAC addresses are hyphen separated and in lower case.
Configuration procedure
|
|
NOTE: Check that the RADIUS server and the access device can reach each other. |
1. Configure the ACL assignment
# Configure ACL 3000 to deny packets destined for 10.0.0.1.
<Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0
[Sysname-acl-adv-3000] quit
2. Configure RADIUS-based MAC authentication on the device
# Configure a RADIUS scheme.
[Sysname] radius scheme 2000
[Sysname-radius-2000] primary authentication 10.1.1.1 1812
[Sysname-radius-2000] primary accounting 10.1.1.2 1813
[Sysname-radius-2000] key authentication abc
[Sysname-radius-2000] key accounting abc
[Sysname-radius-2000] user-name-format without-domain
[Sysname-radius-2000] quit
# Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting.
[Sysname] domain 2000
[Sysname-isp-2000] authentication default radius-scheme 2000
[Sysname-isp-2000] authorization default radius-scheme 2000
[Sysname-isp-2000] accounting default radius-scheme 2000
[Sysname-isp-2000] quit
# Enable MAC authentication globally.
[Sysname] mac-authentication
# Specify the ISP domain for MAC authentication.
[Sysname] mac-authentication domain 2000
# Configure the device to use MAC-based user accounts, and the MAC addresses are hyphen separated and in lowercase.
[Sysname] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication for port GigabitEthernet 1/0/1.
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication
3. Configure the RADIUS servers
# Add a user account with 00-e0-fc-12-34-56 as both the username and password on the RADIUS server, and specify ACL 3000 as the authorization ACL for the user account.
Omitted.
4. Verify the configuration
After the host passes authentication, perform the display connection command on the device to view online user information.
[Sysname-GigabitEthernet1/0/1] display connection
Index=9 , Username=00-e0-fc-12-34-56@2000
IP=N/A
IPv6=N/A
MAC=00e0-fc12-3456
Total 1 connection(s) matched.
Ping the FTP server from the host to verify that the ACL 3000 has been assigned to port GigabitEthernet 1/0/1 to deny access to the FTP server.
C:\>ping 10.0.0.1
Pinging 10.0.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.0.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
