- Table of Contents
-
- 09-Security Configuration Guide
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-MAC authentication configuration
- 04-Portal configuration
- 05-Web authentication configuration
- 06-Triple authentication configuration
- 07-Port security configuration
- 08-User profile configuration
- 09-Password control configuration
- 10-Public key management
- 11-PKI configuration
- 12-IPsec configuration
- 13-SSH configuration
- 14-SSL configuration
- 15-Attack detection and prevention configuration
- 16-TCP attack prevention configuration
- 17-IP source guard configuration
- 18-ARP attack protection configuration
- 19-ND attack defense configuration
- 20-SAVI configuration
- 21-MFF configuration
- 22-Crypto engine configuration
- 23-FIPS configuration
- 24-802.1X client configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
07-Port security configuration | 230.59 KB |
Restrictions and guidelines: Port security configuration
Port security tasks at a glance
Setting the port security mode
Setting port security's limit on the number of secure MAC addresses on a port
Configuring secure MAC addresses
Enabling inactivity aging for secure MAC addresses
Enabling the dynamic secure MAC feature
Configuring intrusion protection
Ignoring authorization information from the server
Enabling the authorization-fail-offline feature
Setting port security's limit on the number of MAC addresses for specific VLANs on a port
Enabling open authentication mode
Configuring free VLANs for port security
Applying a NAS-ID profile to port security
Enabling traffic statistics for MAC authentication and 802.1X users
Enabling SNMP notifications for port security
Enabling port security user logging
Display and maintenance commands for port security
Port security configuration examples
Example: Configuring port security in autoLearn mode
Example: Configuring port security in userLoginWithOUI mode
Example: Configuring port security in macAddressElseUserLoginSecure mode
Cannot set the port security mode
Cannot configure secure MAC addresses
Configuring port security
About port security
Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. The feature applies to ports that use different authentication methods for users.
Major functions
Port security provides the following functions:
· Prevents unauthorized access to a network by checking the source MAC address of inbound traffic.
· Prevents access to unauthorized devices or hosts by checking the destination MAC address of outbound traffic.
· Controls MAC address learning and authentication on a port to make sure the port learns only source trusted MAC addresses.
Port security features
NTK
The need to know (NTK) feature prevents traffic interception by checking the destination MAC address in the outbound frames. The feature ensures that frames are sent only to the following hosts:
· Hosts that have passed authentication.
· Hosts whose MAC addresses have been learned or configured on the access device.
Intrusion protection
The intrusion protection feature checks the source MAC address in inbound frames for illegal frames, and takes a predefined action on each detected illegal frame. The action can be disabling the port temporarily, disabling the port permanently, or blocking frames from the illegal MAC address for 3 minutes (not user configurable).
A frame is illegal if its source MAC address cannot be learned in a port security mode or it is from a client that has failed 802.1X or MAC authentication.
Port security modes
Port security supports the following categories of security modes:
· MAC learning control—Includes two modes: autoLearn and secure. MAC address learning is permitted on a port in autoLearn mode and disabled in secure mode.
· Authentication—Security modes in this category implement MAC authentication, 802.1X authentication, or a combination of these two authentication methods.
Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the predefined NTK or intrusion protection action, or sends SNMP notifications. Outgoing frames are not restricted by port security's NTK action unless they trigger the NTK feature.
Table 1 describes the port security modes and the security features.
Purpose |
Security mode |
Features that can be triggered |
|
Turning off the port security feature |
noRestrictions (the default mode) In this mode, port security is disabled on the port and access to the port is not restricted. |
N/A |
|
autoLearn |
NTK/intrusion protection |
||
secure |
|||
userLogin |
N/A |
||
userLoginSecure |
NTK/intrusion protection |
||
userLoginSecureExt |
|||
userLoginWithOUI |
|||
macAddressWithRadius |
NTK/intrusion protection |
||
Performing a combination of MAC authentication and 802.1X authentication |
Or |
macAddressOrUserLoginSecure |
NTK/intrusion protection |
macAddressOrUserLoginSecureExt |
|||
Else |
macAddressElseUserLoginSecure |
||
macAddressElseUserLoginSecureExt |
The mode names are illustrated as follows:
· userLogin specifies 802.1X authentication and port-based access control. userLogin with Secure specifies 802.1X authentication and MAC-based access control. Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A security mode without Ext allows only one user to pass 802.1X authentication.
· macAddress specifies MAC authentication.
· Else specifies that the authentication method before Else is applied first. If the authentication fails, whether to turn to the authentication method following Else depends on the protocol type of the authentication request.
· Or specifies that the authentication method following Or is applied first. If the authentication fails, the authentication method before Or is applied.
Controlling MAC address learning
· autoLearn.
A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, these MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.
A port in autoLearn mode allows frames sourced from the following MAC addresses to pass:
¡ Secure MAC addresses.
¡ MAC addresses configured by using the mac-address dynamic and mac-address static commands.
When the number of secure MAC addresses reaches the upper limit, the port transitions to secure mode.
· secure.
MAC address learning is disabled on a port in secure mode. You configure MAC addresses by using the mac-address static and mac-address dynamic commands. For more information about configuring MAC address table entries, see Layer 2—LAN Switching Configuration Guide.
A port in secure mode allows only frames sourced from the following MAC addresses to pass:
¡ Secure MAC addresses.
¡ MAC addresses configured by using the mac-address dynamic and mac-address static commands.
Performing 802.1X authentication
· userLogin.
A port in this mode performs 802.1X authentication and implements port-based access control. The port can service multiple 802.1X users. Once an 802.1X user passes authentication on the port, any subsequent 802.1X users can access the network through the port without authentication.
· userLoginSecure.
A port in this mode performs 802.1X authentication and implements MAC-based access control. The port services only one user passing 802.1X authentication.
· userLoginSecureExt.
This mode is similar to the userLoginSecure mode except that this mode supports multiple online 802.1X users.
· userLoginWithOUI.
This mode is similar to the userLoginSecure mode. The difference is that a port in this mode also permits frames from one user whose MAC address contains a specific OUI.
In this mode, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication. The port permits frames that pass OUI check or 802.1X authentication.
|
NOTE: An OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In MAC addresses, the first three octets are the OUI. |
Performing MAC authentication
macAddressWithRadius: A port in this mode performs MAC authentication, and services multiple users.
Performing a combination of MAC authentication and 802.1X authentication
· macAddressOrUserLoginSecure.
This mode is the combination of the macAddressWithRadius and userLoginSecure modes. The mode allows one 802.1X authentication user and multiple MAC authentication users to log in.
In this mode, the port performs 802.1X authentication first. By default, if 802.1X authentication fails, MAC authentication is performed.
However, the port in this mode processes authentication differently when the following conditions exist:
¡ The port is enabled with parallel processing of MAC authentication and 802.1X authentication.
¡ The port is enabled with the 802.1X unicast trigger.
¡ The port receives a packet from an unknown MAC address.
Under such conditions, the port sends a unicast EAP-Request/Identity packet to the MAC address to initiate 802.1X authentication. After that, the port immediately processes MAC authentication without waiting for the 802.1X authentication result.
· macAddressOrUserLoginSecureExt.
This mode is similar to the macAddressOrUserLoginSecure mode, except that this mode supports multiple 802.1X and MAC authentication users.
· macAddressElseUserLoginSecure.
This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies. The mode allows one 802.1X authentication user and multiple MAC authentication users to log in.
In this mode, the port performs MAC authentication upon receiving non-802.1X frames. Upon receiving 802.1X frames, the port performs MAC authentication and then, if the authentication fails, 802.1X authentication.
· macAddressElseUserLoginSecureExt.
This mode is similar to the macAddressElseUserLoginSecure mode except that this mode supports multiple 802.1X and MAC authentication users as the Ext keyword implies.
Restrictions and guidelines: Port security configuration
This feature applies to networks, such as a WLAN, that require different authentication methods for different users on a port.
As a best practice, use the 802.1X authentication or MAC authentication feature rather than port security for scenarios that require only 802.1X authentication or MAC authentication. For more information about 802.1X and MAC authentication, see "Configuring 802.1X" and "Configuring MAC authentication."
Port security settings are supported only on Layer 2 Ethernet interfaces that do not belong to a Layer 2 aggregation group.
Port security tasks at a glance
To configure port security, perform the following tasks:
1. Configuring basic features of port security
¡ Setting the port security mode
¡ Setting port security's limit on the number of secure MAC addresses on a port
¡ Configuring secure MAC addresses
¡ (Optional.) Configuring NTK
¡ (Optional.) Configuring intrusion protection
2. (Optional.) Configuring extended features of port security
¡ Ignoring authorization information from the server
¡ Enabling the authorization-fail-offline feature
¡ Setting port security's limit on the number of MAC addresses for specific VLANs on a port
¡ Enabling open authentication mode
¡ Configuring free VLANs for port security
¡ Applying a NAS-ID profile to port security
¡ Enabling traffic statistics for MAC authentication and 802.1X users
The extended port security features can also take effect when port security is disabled but 802.1X or MAC authentication is enabled.
3. (Optional.) Enabling SNMP notifications for port security
4. (Optional.) Enabling port security user logging
Enabling port security
Restrictions and guidelines
When you configure port security, follow these restrictions and guidelines:
· When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state. Port security automatically modifies these settings in different security modes.
· You can use the undo port-security enable command to disable port security. Because the command logs off online users, make sure no online users are present.
· Enabling or disabling port security resets the following security settings to the default:
¡ 802.1X access control mode, which is MAC-based.
¡ Port authorization state, which is auto.
For more information about 802.1X authentication and MAC authentication configuration, see "Configuring 802.1X" and "Configuring MAC authentication."
Prerequisites
Before you enable port security, disable 802.1X and MAC authentication globally.
Procedure
1. Enter system view.
system-view
2. Enable port security.
port-security enable
By default, port security is disabled.
Setting the port security mode
Restrictions and guidelines
You can specify a port security mode when port security is disabled, but your configuration cannot take effect.
Changing the port security mode of a port logs off the online users of the port.
Do not enable 802.1X authentication or MAC authentication on a port where port security is enabled.
After enabling port security, you can change the port security mode of a port only when the port is operating in noRestrictions (the default) mode. To change the port security mode for a port in any other mode, first use the undo port-security port-mode command to restore the default port security mode.
The device supports the URL attribute assigned by a RADIUS server in the following port security modes:
· mac-authentication.
· mac-else-userlogin-secure.
· mac-else-userlogin-secure-ext.
· userlogin-secure.
· userlogin-secure-ext.
· userlogin-secure-or-mac.
· userlogin-secure-or-mac-ext.
· userlogin-withoui.
During authentication, the HTTP or HTTPS requests of a user are redirected to the Web interface specified by the server-assigned URL attribute. After the user passes the Web authentication, the RADIUS server records the MAC address of the user and uses a DM (Disconnect Message) to log off the user. When the user initiates 802.1X or MAC authentication again, it will pass the authentication and come online successfully.
To redirect the HTTPS requests of port security users, specify the HTTPS redirect listening port on the device. For more information, see HTTP redirect in Layer 3—IP Services Configuration Guide.
Prerequisites
Before you set a port security mode for a port, complete the following tasks:
· Disable 802.1X and MAC authentication.
· If you are configuring the autoLearn mode, set port security's limit on the number of secure MAC addresses. You cannot change the setting when the port is operating in autoLearn mode.
Procedure
1. Enter system view.
system-view
2. Set an OUI value for user authentication.
port-security oui index index-value mac-address oui-value
By default, no OUI values are configured for user authentication.
This command is required only for the userlogin-withoui mode.
You can set multiple OUIs, but when the port security mode is userlogin-withoui, the port allows one 802.1X user and only one user that matches one of the specified OUIs.
3. Enter interface view.
interface interface-type interface-number
4. Set the port security mode.
port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }
By default, a port operates in noRestrictions mode.
Setting port security's limit on the number of secure MAC addresses on a port
About port security's limit on the number of secure MAC addresses on a port
You can set the maximum number of secure MAC addresses that port security allows on a port for the following purposes:
· Controlling the number of concurrent users on the port.
For a port operating in a security mode (except for autoLearn and secure), the upper limit equals the smaller of the following values:
¡ The limit of the secure MAC addresses that port security allows.
¡ The limit of concurrent users allowed by the authentication mode in use.
· Controlling the number of secure MAC addresses on the port in autoLearn mode.
You can also set the maximum number of secure MAC addresses that port security allows for specific VLANs or each VLAN on a port.
Port security's limit on the number of secure MAC addresses on a port is independent of the MAC learning limit described in MAC address table configuration. For more information about MAC address table configuration, see Layer 2—LAN Switching Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the maximum number of secure MAC addresses allowed on a port.
port-security max-mac-count max-count[ vlan [ vlan-id-list ] ]
By default, port security does not limit the number of secure MAC addresses on a port.
Configuring secure MAC addresses
About secure MAC addresses
Secure MAC addresses are configured or learned in autoLearn mode. If the secure MAC addresses are saved, they can survive a device reboot. You can bind a secure MAC address only to one port in a VLAN.
Secure MAC addresses include static, sticky, and dynamic secure MAC addresses.
Table 2 Comparison of static, sticky, and dynamic secure MAC addresses
Type |
Address sources |
Aging mechanism |
Can be saved and survive a device reboot? |
Static |
Manually added (by using the port-security mac-address security command without the sticky keyword). |
Not available. The static secure MAC addresses never age out unless you perform any of the following tasks: · Manually remove these MAC addresses. · Change the port security mode. · Disable the port security feature. |
Yes. |
Sticky |
· Manually added (by using the port-security mac-address security command with the sticky keyword). · Converted from dynamic secure MAC addresses. · Automatically learned when the dynamic secure MAC feature is disabled. |
By default, sticky MAC addresses do not age out. However, you can configure an aging timer or use the aging timer together with the inactivity aging feature to remove old sticky MAC addresses. · If only the aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC addresses. · If both the aging timer and the inactivity aging feature are configured, the aging timer restarts once traffic data is detected from the sticky MAC addresses. |
Yes. The secure MAC aging timer restarts at a reboot. |
Dynamic |
· Converted from sticky MAC addresses. · Automatically learned after the dynamic secure MAC feature is enabled. |
Same as sticky MAC addresses. |
No. All dynamic secure MAC addresses are lost at reboot. |
When the maximum number of secure MAC address entries is reached, the port changes to secure mode. In secure mode, the port cannot add or learn any more secure MAC addresses. The port allows only frames sourced from secure MAC addresses or MAC addresses configured by using the mac-address dynamic or mac-address static command to pass through.
Prerequisites
Before you configure secure MAC addresses, complete the following tasks:
· Set port security's limit on the number of MAC addresses on the port. Perform this task before you enable autoLearn mode.
· Set the port security mode to autoLearn.
· Configure the port to permit packets of the specified VLAN to pass or add the port to the VLAN. Make sure the VLAN already exists.
Adding secure MAC addresses
1. Enter system view.
system-view
2. Set the secure MAC aging timer.
port-security timer autolearn aging [ second ] time-value
By default, secure MAC addresses do not age out.
3. Configure a secure MAC address.
¡ Configure a secure MAC address in system view.
port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id
¡ Execute the following commands in sequence to configure a secure MAC address in interface view:
interface interface-type interface-number
port-security mac-address security [ sticky ] mac-address vlan vlan-id
By default, no manually configured secure MAC addresses exist.
In a VLAN, a MAC address cannot be specified as both a static secure MAC address and a sticky MAC address.
Enabling inactivity aging for secure MAC addresses
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable inactivity aging for secure MAC addresses.
port-security mac-address aging-type inactivity
By default, the inactivity aging feature is disabled for secure MAC addresses.
Enabling the dynamic secure MAC feature
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable the dynamic secure MAC feature.
port-security mac-address dynamic
By default, the dynamic secure MAC feature is disabled. Sticky MAC addresses can be saved to the configuration file. Once saved, they can survive a device reboot.
Configuring NTK
About the NTK feature
The NTK feature checks the destination MAC address in outbound frames to make sure frames are forwarded only to trustworthy devices.
The NTK feature supports the following modes:
· ntkonly—Forwards only unicast frames with an authenticated destination MAC address.
· ntk-withbroadcasts—Forwards only broadcast and unicast frames with an authenticated destination MAC address.
· ntk-withmulticasts—Forwards only broadcast, multicast, and unicast frames with an authenticated destination MAC address.
· ntkauto—Forwards only broadcast, multicast, and unicast frames with an authenticated destination MAC address, and only when the port has online users.
Restrictions and guidelines
The NTK feature drops any unicast frame with an unknown destination MAC address.
Not all port security modes support triggering the NTK feature. For more information, see Table 1.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the NTK feature.
port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkauto | ntkonly }
By default, NTK is disabled on a port and all frames are allowed to be sent.
Configuring intrusion protection
About intrusion protection
Intrusion protection takes one of the following actions on a port in response to illegal frames:
· blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards the frames. A blocked MAC address will be unblocked in 3 minutes. This interval is not user configurable.
· disableport—Disables the port until you bring it up manually.
· disableport-temporarily—Disables the port for a period of time. The period can be configured with the port-security timer disableport command.
Restrictions and guidelines
On a port operating in either macAddressElseUserLoginSecure mode or macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC authentication and 802.1X authentication fail for the same frame.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the intrusion protection feature.
port-security intrusion-mode { blockmac | disableport | disableport-temporarily }
By default, intrusion protection is disabled.
4. (Optional.) Set the silence timeout period during which a port remains disabled.
a. quit
b. port-security timer disableport time-value
By default, the port silence timeout period is 20 seconds.
Ignoring authorization information from the server
About ignoring authorization information from the server
You can configure a port to ignore the authorization information received from the server (local or remote) after an 802.1X or MAC authentication user passes authentication.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Ignore the authorization information received from the authentication server.
port-security authorization ignore
By default, a port uses the authorization information received from the authentication server.
Configuring MAC move
About MAC move
Port security MAC move takes effect in the following scenarios:
· Inter-port move on a device—An online user authenticated through 802.1X or MAC authentication moves between ports on the device. The user VLAN or authentication method might change or stay unchanged after the move.
· Inter-VLAN move on a port—An online user authenticated through 802.1X or MAC authentication moves between VLANs on a trunk or hybrid port. In addition, the packets that trigger authentication have VLAN tags.
Port security MAC move allows an online user authenticated through 802.1X or MAC authentication on one port or VLAN to be reauthenticated and come online on another port or VLAN without going offline first. After the user passes authentication on the new port or VLAN, the system removes the authentication session of the user on the original port or VLAN.
|
NOTE: For MAC authentication, the MAC move feature applies only when MAC authentication single-VLAN mode is used. The MAC move feature does not apply to MAC authentication users that move between VLANs on a port with MAC authentication multi-VLAN mode enabled. |
If this feature is disabled, 802.1X or MAC authenticated users must go offline first before they can be reauthenticated successfully on a new port or VLAN to come online.
For a user moving between ports, the port from which the user moves is called the source port and the port to which the user moves is called the destination port.
On the destination port, an 802.1X or MAC authentication user will reauthenticate in the VLAN authorized on the source port if the source port is enabled with MAC-based VLAN. If that VLAN is not permitted to pass through on the destination port, reauthentication will fail. To avoid this situation, enable VLAN check bypass on the destination port. This feature skips checking VLAN information in the packets that trigger 802.1X authentication or MAC authentication for users moving to the port.
Restrictions and guidelines
As a best practice to minimize security risks, enable MAC move only if user roaming between ports is required.
802.1X or MAC authenticated users cannot move between ports on a device or between VLANs on a port if the maximum number of online users on the authentication server has been reached.
MAC authentication multi-VLAN mode has higher priority than MAC move for users moving between VLANs on a port. If MAC authentication multi-VLAN mode is enabled, these users can come online in the new VLAN without being reauthenticated. To enable MAC authentication multi-VLAN mode, use the mac-authentication host-mode multi-vlan command. For more information about MAC authentication multi-VLAN mode, see "Configuring MAC authentication."
When you configure VLAN check bypass for users moving between ports, follow these guidelines:
· To ensure a successful reauthentication, enable VLAN check bypass on a destination port if the source port is enabled with MAC-based VLAN.
· If the destination port is an 802.1X-enabled trunk port, you must configure it to send 802.1X protocol packets without VLAN tags. For more information, see "Configuring 802.1X."
Procedure
1. Enter system view.
system-view
2. Enable MAC move.
port-security mac-move permit
By default, MAC move is disabled.
3. (Optional.) Enable VLAN check bypass on the port for users moving to it.
a. Enter interface view.
interface interface-type interface-number
b. Enable VLAN check bypass.
port-security mac-move bypass-vlan-check
By default, the VLAN check bypass feature is disabled.
This command is supported only in Release 6318P01 and later.
Enabling the authorization-fail-offline feature
About the authorization-fail-offline feature
IMPORTANT: The authorization-fail-offline feature takes effect only on port security users that have failed ACL or user profile authorization. |
The authorization-fail-offline feature logs off port security users that have failed authorization.
A user fails authorization in the following situations:
· The device or server fails to assign the specified authorization attribute to the user.
· The device or server assigns authorization information that does not exist on the device to the user.
This feature does not apply to users that have failed VLAN authorization. The device logs off these users directly.
You can also enable the quiet timer feature for 802.1X or MAC authentication users that are logged off by the authorization-fail-offline feature. The device adds these users to the 802.1X or MAC authentication quiet queue. Within the quiet timer, the device does not process packets from these users or authenticate them. If you do not enable the quiet timer feature, the device immediately authenticates these users upon receiving packets from them.
Prerequisites
For the quiet timer feature to take effect, complete the following tasks:
· For 802.1X users, use the dot1x quiet-period command to enable the quiet timer and use the dot1x timer quiet-period command to set the timer.
· For MAC authentication users, use the mac-authentication timer quiet command to set the quiet timer for MAC authentication.
Procedure
1. Enter system view.
system-view
2. Enable the authorization-fail-offline feature.
port-security authorization-fail offline [ quiet-period ]
By default, this feature is disabled, and the device does not log off users that have failed authorization.
Setting port security's limit on the number of MAC addresses for specific VLANs on a port
About port security's limit on the number of MAC addresses for specific VLANs on a port
Typically, port security allows the access of the following types of MAC addresses on a port:
· MAC addresses that pass 802.1X or MAC authentication.
· MAC addresses in the MAC authentication guest VLAN or MAC authentication critical VLAN.
· MAC addresses in the 802.1X guest VLAN, 802.1X Auth-Fail VLAN, or 802.1X critical VLAN.
This feature limits the number of MAC addresses that port security allows to access a port through specific VLANs. Use this feature to prevent resource contentions among MAC addresses and ensure reliable performance for each access user on the port. When the number of MAC addresses in a VLAN on the port reaches the upper limit, the device denies any subsequent MAC addresses in the VLAN on the port.
Restrictions and guidelines
On a port, the maximum number of MAC addresses in a VLAN cannot be smaller than the number of existing MAC addresses in the VLAN. If the specified maximum number is smaller, the setting does not take effect.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set port security's limit on the number of MAC addresses for specific VLANs on the port.
port-security mac-limit max-number per-vlan vlan-id-list
The default setting is 2147483647.
Enabling open authentication mode
About open authentication mode
This feature enables access users (802.1X or MAC authentication users) of a port to come online and access the network even if they use nonexistent usernames or incorrect passwords.
Access users that come online in open authentication mode are called open users. Authorization and accounting are not available for open users. To display open user information, use the following commands:
· display dot1x connection open.
· display mac-authentication connection open.
This feature does not affect the access of users that use correct user information.
Restrictions and guidelines
When you configure open authentication mode, follow these restrictions and guidelines:
· If global open authentication mode is enabled, all ports are enabled with open authentication mode regardless of the port-specific open authentication mode setting. If global open authentication mode is disabled, whether a port is enabled with open authentication mode depends on the port-specific open authentication mode setting.
· The open authentication mode setting has lower priority than the 802.1X Auth-Fail VLAN and the MAC authentication guest VLAN. Open authentication mode does not take effect on a port if the port is also configured with the 802.1X Auth-Fail VLAN or the MAC authentication guest VLAN. For information about 802.1X authentication and MAC authentication, see "802.1X overview," "Configuring 802.1X," and "Configuring MAC authentication."
Procedure
1. Enter system view.
system-view
2. Enable global open authentication mode.
port-security authentication open global
By default, global open authentication mode is disabled.
3. Enter interface view.
interface interface-type interface-number
4. Enable open authentication mode on the port.
port-security authentication open
By default, open authentication mode is disabled on a port.
Configuring free VLANs for port security
About this task
This feature allows packets from the specified VLANs to not trigger 802.1X or MAC authentication on a port configured with any of the following features:
· 802.1X authentication.
· MAC authentication.
· One of the following port security modes:
¡ userLogin.
¡ userLoginSecure.
¡ userLoginWithOUI.
¡ userLoginSecureExt.
¡ macAddressWithRadius.
¡ macAddressOrUserLoginSecure.
¡ macAddressElseUserLoginSecure.
¡ macAddressOrUserLoginSecureExt.
¡ macAddressElseUserLoginSecureExt.
Software and feature compatibility
This feature is supported only in Release 6328 and later.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure free VLANs for port security.
port-security free-vlan vlan-id-list
By default, no free VLANs for port security exist on a port.
Applying a NAS-ID profile to port security
About NAS-ID profiles
By default, the device sends its device name in the NAS-Identifier attribute of all RADIUS requests.
A NAS-ID profile enables you to send different NAS-Identifier attribute strings in RADIUS requests from different VLANs. The strings can be organization names, service names, or any user categorization criteria, depending on the administrative requirements.
For example, map the NAS-ID companyA to all VLANs of company A. The device will send companyA in the NAS-Identifier attribute for the RADIUS server to identify requests from any Company A users.
Restrictions and guidelines
You can apply a NAS-ID profile to port security globally or on a port. On a port, the device selects a NAS-ID profile in the following order:
1. The port-specific NAS-ID profile.
2. The NAS-ID profile applied globally.
If no NAS-ID profile is applied or no matching binding is found in the selected profile, the device uses the device name as the NAS-ID.
For more information about the NAS-ID profile configuration, see "Configuring AAA."
Procedure
1. Enter system view.
system-view
2. Apply a NAS-ID profile.
¡ Apply a NAS-ID profile globally.
port-security nas-id-profile profile-name
¡ Execute the following commands in sequence to apply a NAS-ID profile to an interface:
interface interface-type interface-number
port-security nas-id-profile profile-name
By default, no NAS-ID profile is applied in system view or in interface view.
Enabling traffic statistics for MAC authentication and 802.1X users
About this task
By default, 802.1X and MAC authentication user statistics collected and sent to the accounting server only include the online duration of the users. To collect and send their traffic statistics to the accounting server in addition to their online duration, perform this task.
This feature takes effect on 802.1X and MAC authentication users when port security is enabled, or when 802.1X and MAC authentication are separately enabled on the device.
If a port performs MAC authentication or 802.1X authentication in MAC-based access control mode, this feature collects user traffic statistics on a per-MAC basis on the port.
If a port performs 802.1X authentication in port-based access control mode, this feature collects user traffic statistics on a per-port basis on the port.
With this feature enabled, the device requires more ACL resources for new 802.1X or MAC authentication users. If the device has run out of ACL resources, the authentication will fail for new 802.1X or MAC authentication users.
Restrictions and guidelines
This feature is available in Release 6312 and later.
This feature takes effect only on users that come online after the feature is enabled.
Enable this feature only if traffic accounting is required and only if there are sufficient ACL resources. If the network has a large number of online 802.1X and MAC authentication users when this feature is enabled, ACL resources might become insufficient. This issue causes authentication failure of new 802.1X and MAC authentication users. For more information about 802.1X and MAC authentication, see "Configuring 802.1X" and "Configuring MAC authentication."
Procedure
1. Enter system view.
system-view
2. Enable traffic statistics for 802.1X and MAC authentication users.
port-security traffic-statistics enable
By default, the device does not collect traffic statistics for 802.1X and MAC authentication users.
Enabling SNMP notifications for port security
About SNMP notifications for port security
Use this feature to report critical port security events to an NMS. For port security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable SNMP notifications for port security.
snmp-agent trap enable port-security [ address-learned | dot1x-failure | dot1x-logoff | dot1x-logon | intrusion | mac-auth-failure | mac-auth-logoff | mac-auth-logon ] *
By default, SNMP notifications are disabled for port security.
Enabling port security user logging
About port security user logging
This feature enables the device to generate logs about port security users and send the logs to the information center. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.
Restrictions and guidelines
To prevent excessive port security user log entries, use this feature only if you need to analyze abnormal port security user events.
Procedure
1. Enter system view.
system-view
2. Enable port security user logging.
port-security access-user log enable [ failed-authorization | mac-learning | violation | vlan-mac-limit ] *
By default, port security user logging is disabled.
If you do not specify any parameters, this command enables all types of port security user logs.
Display and maintenance commands for port security
Execute display commands in any view:
Task |
Command |
Display the port security configuration, operation information, and statistics. |
display port-security [ interface interface-type interface-number ] |
Display information about blocked MAC addresses. |
display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] |
Display information about secure MAC addresses. |
display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] |
Port security configuration examples
Example: Configuring port security in autoLearn mode
Network configuration
As shown in Figure 1, configure GigabitEthernet 1/0/1 on the device to meet the following requirements:
· Accept up to 64 users without authentication.
· Be permitted to learn and add MAC addresses as sticky MAC addresses, and set the secure MAC aging timer to 30 minutes.
· Stop learning MAC addresses after the number of secure MAC addresses reaches 64. If any frame with an unknown MAC address arrives, intrusion protection starts, and the port shuts down and stays silent for 30 seconds.
Procedure
# Enable port security.
<Device> system-view
[Device] port-security enable
# Set the secure MAC aging timer to 30 minutes.
[Device] port-security timer autolearn aging 30
# Set port security's limit on the number of secure MAC addresses to 64 on GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] port-security max-mac-count 64
# Set the port security mode to autoLearn.
[Device-GigabitEthernet1/0/1] port-security port-mode autolearn
# Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.
[Device-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily
[Device-GigabitEthernet1/0/1] quit
[Device] port-security timer disableport 30
Verifying the configuration
# Verify the port security configuration.
[Device] display port-security interface gigabitethernet 1/0/1
Global port security parameters:
Port security : Enabled
AutoLearn aging time : 30 min
Disableport timeout : 30 s
Blockmac timeout : 180 s
MAC move : Denied
Authorization fail : Online
NAS-ID profile : Not configured
Dot1x-failure trap : Disabled
Dot1x-logon trap : Disabled
Dot1x-logoff trap : Disabled
Intrusion trap : Disabled
Address-learned trap : Disabled
Mac-auth-failure trap : Disabled
Mac-auth-logon trap : Disabled
Mac-auth-logoff trap : Disabled
Open authentication : Disabled
OUI value list :
Index : 1 Value : 123401
GigabitEthernet1/0/1 is link-up
Port mode : autoLearn
NeedToKnow mode : Disabled
Intrusion protection mode : DisablePortTemporarily
Security MAC address attribute
Learning mode : Sticky
Aging type : Periodical
Max secure MAC addresses : 64
Current secure MAC addresses : 0
Authorization : Permitted
NAS-ID profile : Not configured
Free VLANs : Not configured
Open authentication : Disabled
MAC-move VLAN check bypass : Disabled
The port allows for MAC address learning, and you can view the number of learned MAC addresses in the Current secure MAC addresses field.
# Display additional information about the learned MAC addresses.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] display this
#
interface GigabitEthernet1/0/1
port-security max-mac-count 64
port-security port-mode autolearn
port-security mac-address security sticky 0002-0000-0015 vlan 1
port-security mac-address security sticky 0002-0000-0014 vlan 1
port-security mac-address security sticky 0002-0000-0013 vlan 1
port-security mac-address security sticky 0002-0000-0012 vlan 1
port-security mac-address security sticky 0002-0000-0011 vlan 1
#
[Device-GigabitEthernet1/0/1] quit
# Verify that the port security mode changes to secure after the number of MAC addresses learned by the port reaches 64.
[Device] display port-security interface gigabitethernet 1/0/1
# Verify that the port will be disabled for 30 seconds after it receives a frame with an unknown MAC address. (Details not shown.)
# After the port is re-enabled, delete several secure MAC addresses.
[Device] undo port-security mac-address security sticky 0002-0000-0015 vlan 1
[Device] undo port-security mac-address security sticky 0002-0000-0014 vlan 1
...
# Verify that the port security mode of the port changes to autoLearn, and the port can learn MAC addresses again. (Details not shown.)
Example: Configuring port security in userLoginWithOUI mode
Network configuration
As shown in Figure 2, a client is connected to the device through GigabitEthernet 1/0/1. The device authenticates the client with a RADIUS server in ISP domain sun. If the authentication succeeds, the client is authorized to access the Internet.
· The RADIUS server at 192.168.1.2 acts as the primary authentication server and the secondary accounting server. The RADIUS server at 192.168.1.3 acts as the secondary authentication server and the primary accounting server. The shared key for authentication is name, and the shared key for accounting is money.
· All users use the authentication, authorization, and accounting methods of ISP domain sun.
· The RADIUS server response timeout time is 5 seconds. The maximum number of RADIUS packet retransmission attempts is 5. The device sends real-time accounting packets to the RADIUS server at 15-minute intervals, and sends usernames without domain names to the RADIUS server.
Configure GigabitEthernet 1/0/1 to allow only one 802.1X user and a user that uses one of the specified OUI values to be authenticated.
Procedure
The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Reference.
Make sure the host and the RADIUS server can reach each other.
1. Configure AAA:
# Configure a RADIUS scheme named radsun.
<Device> system-view
[Device] radius scheme radsun
[Device-radius-radsun] primary authentication 192.168.1.2
[Device-radius-radsun] primary accounting 192.168.1.3
[Device-radius-radsun] secondary authentication 192.168.1.3
[Device-radius-radsun] secondary accounting 192.168.1.2
[Device-radius-radsun] key authentication simple name
[Device-radius-radsun] key accounting simple money
[Device-radius-radsun] timer response-timeout 5
[Device-radius-radsun] retry 5
[Device-radius-radsun] timer realtime-accounting 15
[Device-radius-radsun] user-name-format without-domain
[Device-radius-radsun] quit
# Configure ISP domain sun.
[Device] domain sun
[Device-isp-sun] authentication lan-access radius-scheme radsun
[Device-isp-sun] authorization lan-access radius-scheme radsun
[Device-isp-sun] accounting lan-access radius-scheme radsun
[Device-isp-sun] quit
2. Configure 802.1X:
# Set the 802.1X authentication method to CHAP. By default, the authentication method for 802.1X is CHAP.
[Device] dot1x authentication-method chap
# Specify ISP domain sun as the mandatory authentication domain for 802.1X users on GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] dot1x mandatory-domain sun
[Device-GigabitEthernet1/0/1] quit
3. Configure port security:
# Enable port security.
[Device] port-security enable
# Add five OUI values. (You can add up to 16 OUI values. The port permits only one user matching one of the OUIs to pass authentication.)
[Device] port-security oui index 1 mac-address 1234-0100-1111
[Device] port-security oui index 2 mac-address 1234-0200-1111
[Device] port-security oui index 3 mac-address 1234-0300-1111
[Device] port-security oui index 4 mac-address 1234-0400-1111
[Device] port-security oui index 5 mac-address 1234-0500-1111
# Set the port security mode to userLoginWithOUI.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] port-security port-mode userlogin-withoui
[Device-GigabitEthernet1/0/1] quit
Verifying the configuration
# Verify that GigabitEthernet 1/0/1 allows only one 802.1X user to be authenticated.
[Device] display port-security interface gigabitethernet 1/0/1
Global port security parameters:
Port security : Enabled
AutoLearn aging time : 30 min
Disableport timeout : 30 s
Blockmac timeout : 180 s
MAC move : Denied
Authorization fail : Online
NAS-ID profile : Not configured
Dot1x-failure trap : Disabled
Dot1x-logon trap : Disabled
Dot1x-logoff trap : Disabled
Intrusion trap : Disabled
Address-learned trap : Disabled
Mac-auth-failure trap : Disabled
Mac-auth-logon trap : Disabled
Mac-auth-logoff trap : Disabled
Open authentication : Disabled
OUI value list :
Index : 1 Value : 123401
Index : 2 Value : 123402
Index : 3 Value : 123403
Index : 4 Value : 123404
Index : 5 Value : 123405
GigabitEthernet1/0/1 is link-up
Port mode : userLoginWithOUI
NeedToKnow mode : Disabled
Intrusion protection mode : NoAction
Security MAC address attribute
Learning mode : Sticky
Aging type : Periodical
Max secure MAC addresses : Not configured
Current secure MAC addresses : 1
Authorization :Permitted
NAS-ID profile : Not configured
Free VLANs : Not configured
Open authentication : Disabled
MAC-move VLAN check bypass : Disabled
# Display information about the online 802.1X user to verify 802.1X configuration.
[Device] display dot1x
# Verify that the port also allows one user whose MAC address has an OUI among the specified OUIs to pass authentication.
[Device] display mac-address interface gigabitethernet 1/0/1
MAC Address VLAN ID State Port/NickName Aging
1234-0300-0011 1 Learned GE1/0/1 Y
Example: Configuring port security in macAddressElseUserLoginSecure mode
Network configuration
As shown in Figure 3, a client is connected to the device through GigabitEthernet 1/0/1. The device authenticates the client by a RADIUS server in ISP domain sun. If the authentication succeeds, the client is authorized to access the Internet.
Configure GigabitEthernet 1/0/1 of the device to meet the following requirements:
· Allow more than one MAC authenticated user to log on.
· For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X authentication. Allow only one 802.1X user to log on.
· Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in hexadecimal notation with hyphens, and letters are in upper case.
· Set the total number of MAC authenticated users and 802.1X authenticated users to 64.
· Enable NTK (ntkonly mode) to prevent frames from being sent to unknown MAC addresses.
Procedure
Make sure the host and the RADIUS server can reach each other.
1. Configure RADIUS authentication/accounting and ISP domain settings. (See "Example: Configuring port security in userLoginWithOUI mode.")
2. Configure port security:
# Enable port security.
<Device> system-view
[Device] port-security enable
# Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in hexadecimal notation with hyphens, and letters are in upper case.
[Device] mac-authentication user-name-format mac-address with-hyphen uppercase
# Specify the MAC authentication domain.
[Device] mac-authentication domain sun
# Set the 802.1X authentication method to CHAP. By default, the authentication method for 802.1X is CHAP.
[Device] dot1x authentication-method chap
# Set port security's limit on the number of MAC addresses to 64 on the port.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] port-security max-mac-count 64
# Set the port security mode to macAddressElseUserLoginSecure.
[Device-GigabitEthernet1/0/1] port-security port-mode mac-else-userlogin-secure
# Specify ISP domain sun as the mandatory authentication domain for 802.1X users.
[Device-GigabitEthernet1/0/1] dot1x mandatory-domain sun
# Set the NTK mode of the port to ntkonly.
[Device-GigabitEthernet1/0/1] port-security ntk-mode ntkonly
[Device-GigabitEthernet1/0/1] quit
Verifying the configuration
# Verify the port security configuration.
[Device] display port-security interface gigabitethernet 1/0/1
Global port security parameters:
Port security : Enabled
AutoLearn aging time : 30 min
Disableport timeout : 30 s
Blockmac timeout : 180 s
MAC move : Denied
Authorization fail : Online
NAS-ID profile : Not configured
Dot1x-failure trap : Disabled
Dot1x-logon trap : Disabled
Dot1x-logoff trap : Disabled
Intrusion trap : Disabled
Address-learned trap : Disabled
Mac-auth-failure trap : Disabled
Mac-auth-logon trap : Disabled
Mac-auth-logoff trap : Disabled
Open authentication : Disabled
OUI value list
GigabitEthernet1/0/1 is link-up
Port mode : macAddressElseUserLoginSecure
NeedToKnow mode : NeedToKnowOnly
Intrusion protection mode : NoAction
Security MAC address attribute
Learning mode : Sticky
Aging type : Periodical
Max secure MAC addresses : 64
Current secure MAC addresses : 0
Authorization : Permitted
NAS-ID profile : Not configured
Free VLANs : Not configured
Open authentication : Disabled
MAC-move VLAN check bypass : Disabled
# After users pass authentication, display MAC authentication information. Verify that GigabitEthernet 1/0/1 allows multiple MAC authentication users to be authenticated.
[Device] display mac-authentication interface gigabitethernet 1/0/1
Global MAC authentication parameters:
MAC authentication : Enabled
Authentication method : PAP
User name format : MAC address in uppercase(XX-XX-XX-XX-XX-XX)
Username : mac
Password : Not configured
Offline detect period : 300 s
Quiet period : 180 s
Server timeout : 100 s
Reauth period : 3600 s
User aging period for critical VLAN : 1000 s
User aging period for guest VLAN : 1000 s
Authentication domain : sun
Online MAC-auth wired users : 3
Silent MAC users:
MAC address VLAN ID From port Port index
GigabitEthernet1/0/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Disabled
Periodic reauth : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : Not configured
Guest VLAN auth-period : 30 s
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Single VLAN
Offline detection : Enabled
Authentication order : Default
User aging : Enabled
Server-recovery online-user-sync : Enabled
Auto-tag feature : Disabled
VLAN tag configuration ignoring : Disabled
Max online users : 4294967295
Authentication attempts : successful 3, failed 7
Current online users : 3
MAC address Auth state
1234-0300-0011 Authenticated
1234-0300-0012 Authenticated
1234-0300-0013 Authenticated
# Display 802.1X authentication information. Verify that GigabitEthernet 1/0/1 allows only one 802.1X user to be authenticated.
[Device] display dot1x interface gigabitethernet 1/0/1
Global 802.1X parameters:
802.1X authentication : Enabled
CHAP authentication : Enabled
Max-tx period : 30 s
Handshake period : 15 s
Quiet timer : Disabled
Quiet period : 60 s
Supp timeout : 30 s
Server timeout : 100 s
Reauth period : 3600 s
Max auth requests : 2
User aging period for Auth-Fail VLAN : 1000 s
User aging period for critical VLAN : 1000 s
User aging period for guest VLAN : 1000 s
EAD assistant function : Disabled
EAD timeout : 30 min
Domain delimiter : @
Online 802.1X wired users : 1
GigabitEthernet1/0/1 is link-up
802.1X authentication : Enabled
Handshake : Enabled
Handshake reply : Disabled
Handshake security : Disabled
Unicast trigger : Disabled
Periodic reauth : Disabled
Port role : Authenticator
Authorization mode : Auto
Port access control : MAC-based
Multicast trigger : Enabled
Mandatory auth domain : sun
Guest VLAN : Not configured
Auth-Fail VLAN : Not configured
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Add Guest VLAN delay : Disabled
Re-auth server-unreachable : Logoff
Max online users : 4294967295
User IP freezing : Disabled
Reauth period : 60 s
Send Packets Without Tag : Disabled
Max Attempts Fail Number : 0
User aging : Enabled
Server-recovery online-user-sync : Enabled
EAPOL packets: Tx 16331, Rx 102
Sent EAP Request/Identity packets : 16316
EAP Request/Challenge packets: 6
EAP Success packets: 4
EAP Failure packets: 5
Received EAPOL Start packets : 6
EAPOL LogOff packets: 2
EAP Response/Identity packets : 80
EAP Response/Challenge packets: 6
Error packets: 0
Online 802.1X users: 1
MAC address Auth state
0002-0000-0011 Authenticated
# Verify that frames with an unknown destination MAC address, multicast address, or broadcast address are discarded. (Details not shown.)
Troubleshooting port security
Cannot set the port security mode
Symptom
Cannot set the port security mode for a port.
Analysis
For a port operating in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command.
Solution
To resolve the issue:
1. Set the port security mode to noRestrictions.
[Device-GigabitEthernet1/0/1] undo port-security port-mode
2. Set a new port security mode for the port, for example, autoLearn.
[Device-GigabitEthernet1/0/1] port-security port-mode autolearn
3. If the issue persists, contact H3C Support.
Cannot configure secure MAC addresses
Symptom
Cannot configure secure MAC addresses.
Analysis
No secure MAC address can be configured on a port operating in a port security mode other than autoLearn.
Solution
To resolve the issue:
1. Set the port security mode to autoLearn.
[Device-GigabitEthernet1/0/1] undo port-security port-mode
[Device-GigabitEthernet1/0/1] port-security max-mac-count 64
[Device-GigabitEthernet1/0/1] port-security port-mode autolearn
[Device-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1
2. If the issue persists, contact H3C Support.