macAddressElseUserLoginSecure configuration example
Network requirements
As shown in Figure 111, a client is connected to the device through GigabitEthernet 1/0/1. The device authenticates the client by a RADIUS server in ISP domain sun. If the authentication succeeds, the client is authorized to access the Internet.
Configure GigabitEthernet 1/0/1 of the device to meet the following requirements:
Allow more than one MAC authenticated user to log on.
For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X authentication. Allow only one 802.1X user to log on.
Use the MAC address of each user as the username and password for authentication. A MAC address is in the hexadecimal notation with hyphens, and letters are in upper case.
Set the total number of MAC authenticated users and 802.1X authenticated users to 64.
Enable NTK (ntkonly mode) to prevent frames from being sent to unknown MAC addresses.
Figure 106: Network diagram
Configuration procedure
Make sure the host and the RADIUS server can reach each other.
Configure RADIUS authentication/accounting and ISP domain settings. (See "userLoginWithOUI configuration example.")
Configure port security:
# Enable port security.
<Device> system-view [Device] port-security enable
# Use MAC-based accounts for MAC authentication. Each MAC address must be in the hexadecimal notation with hyphens, and letters are in upper case.
[Device] mac-authentication user-name-format mac-address with-hyphen uppercase
# Specify the MAC authentication domain.
[Device] mac-authentication domain sun
# Set the 802.1X authentication method to CHAP. By default, the authentication method for 802.1X is CHAP.
[Device] dot1x authentication-method chap
# Set port security's limit on the number of MAC addresses to 64 on the port.
[Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] port-security max-mac-count 64
# Set the port security mode to macAddressElseUserLoginSecure.
[Device-GigabitEthernet1/0/1] port-security port-mode mac-else-userlogin-secure
# Specify ISP domain sun as the mandatory authentication domain for 802.1X users.
[Device-GigabitEthernet1/0/1] dot1x mandatory-domain sun
# Set the NTK mode of the port to ntkonly.
[Device-GigabitEthernet1/0/1] port-security ntk-mode ntkonly [Device-GigabitEthernet1/0/1] quit
Verifying the configuration
# Verify the port security configuration.
[Device] display port-security interface gigabitethernet 1/0/1 Global port security parameters: Port security : Enabled AutoLearn aging time : 30 min Disableport timeout : 30 s MAC move : Denied Authorization fail : Online NAS-ID profile : Not configured Dot1x-failure trap : Disabled Dot1x-logon trap : Disabled Dot1x-logoff trap : Disabled Intrusion trap : Disabled Address-learned trap : Disabled Mac-auth-failure trap : Disabled Mac-auth-logon trap : Disabled Mac-auth-logoff trap : Disabled OUI value list GigabitEthernet1/0/1 is link-up Port mode : macAddressElseUserLoginSecure NeedToKnow mode : NeedToKnowOnly Intrusion protection mode : NoAction Security MAC address attribute Learning mode : Sticky Aging type : Periodical Max secure MAC addresses : 64 Current secure MAC addresses : 0 Authorization : Permitted NAS-ID profile : Not configured
# After users pass authentication, display MAC authentication information. Verify that GigabitEthernet 1/0/1 allows multiple MAC authentication users to be authenticated.
[Device] display mac-authentication interface gigabitethernet 1/0/1 Global MAC authentication parameters: MAC authentication : Enabled User name format : MAC address in uppercase(XX-XX-XX-XX-XX-XX) Username : mac Password : Not configured Offline detect period : 300 s Quiet period : 180 s Server timeout : 100 s Authentication domain : sun Online MAC-auth wired users : 3 Silent MAC users: MAC address VLAN ID From port Port index GigabitEthernet1/0/1 is link-up MAC authentication : Enabled Carry User-IP : Disabled Authentication domain : Not configured Auth-delay timer : Disabled Re-auth server-unreachable : Logoff Host mode : Single VLAN Max online users : 4294967295 Authentication attempts : successful 3, failed 7 Current online users : 3 MAC address Auth state 1234-0300-0011 Authenticated 1234-0300-0012 Authenticated 1234-0300-0013 Authenticated
# Display 802.1X authentication information. Verify that GigabitEthernet 1/0/1 allows only one 802.1X user to be authenticated.
[Device] display dot1x interface gigabitethernet 1/0/1 Global 802.1X parameters: 802.1X authentication : Enabled CHAP authentication : Enabled Max-tx period : 30 s Handshake period : 15 s Quiet timer : Disabled Quiet period : 60 s Supp timeout : 30 s Server timeout : 100 s Reauth period : 3600 s Max auth requests : 2 SmartOn supp timeout : 30 s SmartOn retry counts : 3 EAD assistant function : Disabled EAD timeout : 30 min Domain delimiter : @ Online 802.1X wired users : 1 GigabitEthernet1/0/1 is link-up 802.1X authentication : Enabled Handshake : Enabled Handshake reply : Disabled Handshake security : Disabled Unicast trigger : Disabled Periodic reauth : Disabled Port role : Authenticator Authorization mode : Auto Port access control : MAC-based Multicast trigger : Enabled Mandatory auth domain : sun Guest VLAN : Not configured Auth-Fail VLAN : Not configured Critical VLAN : Not configured Re-auth server-unreachable : Logoff Max online users : 4294967295 SmartOn : Disabled EAPOL packets: Tx 16331, Rx 102 Sent EAP Request/Identity packets : 16316 EAP Request/Challenge packets: 6 EAP Success packets: 4 EAP Failure packets: 5 Received EAPOL Start packets : 6 EAPOL LogOff packets: 2 EAP Response/Identity packets : 80 EAP Response/Challenge packets: 6 Error packets: 0 Online 802.1X users: 1 MAC address Auth state 0002-0000-0011 Authenticated
# Verify that frames with an unknown destination MAC address, multicast address, or broadcast address are discarded. (Details not shown.)