10-Security Configuration Guide

HomeSupportResource CenterRoutersH3C SR8800 Series RoutersH3C SR8800Technical DocumentsConfigureConfiguration GuideH3C SR8800 Configuration Guide-Release3347-6W10310-Security Configuration Guide
03-MAC Authentication Configuration
Title Size Download
03-MAC Authentication Configuration 121.25 KB

MAC authentication overview

MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to input a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication enabled port. If the MAC address passes authentication, the user can access authorized network resources. If the authentication fails, the device marks the MAC address as a silent MAC address, drops the packet, and starts a quiet timer. The device drops all subsequent packets from the MAC address within the quiet time. This quiet mechanism avoids repeated authentication during a short time.

 

 

NOTE:

If the MAC address that has failed authentication is a static MAC address or a MAC address that has passed any security authentication, the device does not mark it as a silent address.

 

User account policies

MAC authentication supports the following user account policies:

·     One MAC-based user account for each user. The access device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication. This policy is suitable for an insecure environment.

·     One shared user account for all users. You specify one username and password, which are not necessarily a MAC address, for all MAC authentication users on the access device. This policy is suitable for a secure environment.

Authentication approaches

You can perform MAC authentication on the access device (local authentication) or through a Remote Authentication Dial-In User Service (RADIUS) server.

Suppose a source MAC unknown packet arrives at a MAC authentication enabled port.

In the local authentication approach:

·     If MAC-based accounts are used, the access device uses the source MAC address of the packet as the username and password to search its local account database for a match.

·     If a shared account is used, the access device uses the shared account username and password to search its local account database for a match.

In the RADIUS authentication approach:

·     If MAC-based accounts are used, the access device sends the source MAC address as the username and password to the RADIUS server for authentication.

·     If a shared account is used, the access device sends the shared account username and password to the RADIUS server for authentication.

For more information about configuring local authentication and RADIUS authentication, see the chapter “Configuring AAA.”

MAC authentication timers

MAC authentication uses the following timers:

·     Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user.

·     Quiet timer—Sets the interval that the device must wait before it can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.

·     Server timeout timer—Sets the interval that the access device waits for a response from a RADIUS server before it regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network.

Using MAC authentication with VLAN assignment

You can specify a VLAN in the user account for a MAC authentication user to control its access to network resources. After the user passes MAC authentication, the authentication server, either the local access device or a RADIUS server, assigns the VLAN to the port as the default VLAN. After the user logs off, the initial default VLAN, or the default VLAN configured before any VLAN is assigned by the authentication server, restores. If the authentication server assigns no VLAN, the initial default VLAN applies.

 

 

NOTE:

·     A hybrid port is always assigned to a server-assigned VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.

·     If MAC-based VLAN is enabled on a hybrid port, the device maps the server-assigned VLAN to the MAC address of the user. The default VLAN of the hybrid port does not change.

 

MAC authentication configuration task list

Perform these tasks to configure MAC authentication:

 

Task

Remarks

Basic configuration for MAC authentication

Configuring MAC authentication globally

Required

Configuring MAC authentication on a port

Required

Specifying an authentication domain for MAC authentication users

Optional

 

Basic configuration for MAC authentication

Configuration prerequisites

·     Create and configure an authentication domain, also called ”an ISP domain.”

·     For local authentication, create local user accounts, and specify the lan-access service for the accounts.

·     For RADIUS authentication, check that the device and the RADIUS server can reach each other, and create user accounts on the RADIUS server.

 

 

NOTE:

If you are using MAC-based accounts, make sure that the username and password for each account is the same as the MAC address of the MAC authentication users.

 

Configuration procedure

MAC authentication can take effect on a port only when it is enabled globally and on the port.

Configuring MAC authentication globally

To configure MAC authentication globally:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable MAC authentication globally.

mac-authentication

Disabled by default.

3.     Configure MAC authentication timers.

mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }

Optional.

By default, the offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100 seconds.

4.     Configure the properties of MAC authentication user accounts.

mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] }

Optional.

By default, the username and password for a MAC authentication user account must be a MAC address in lower case, and the MAC address is not hyphen separated.

 

Configuring MAC authentication on a port

To configure MAC authentication on a port:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enable MAC authentication.

·     (Approach 1) In system view:
mac-authentication interface interface-list

·     (Approach 2) In interface view:

a.     interface interface-type interface-number

b.     mac-authentication

Use either approach.

Disabled by default.

Enable MAC authentication for ports in bulk in system view or an individual port in interface view.

3.     Set the maximum number of concurrent MAC authentication users allowed on a port.

mac-authentication max-user user-number

Optional.

By default, the port supports up to 1024 concurrent 802.1X users.

 

 

NOTE:

You cannot add a MAC authentication enabled port in to a link aggregation group, or enable MAC authentication on a port already in a link aggregation group.

 

Specifying an authentication domain for MAC authentication users

By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can specify authentication domains for MAC authentication users in the following ways:

·     Specify a global authentication domain in system view. This domain setting applies to all ports.

·     Specify an authentication domain for an individual port in interface view.

MAC authentication chooses an authentication domain for users on a port in this order: the port-specific domain, the global domain, and the default domain. For more information about authentication domains, see the chapter “Configuring AAA.”

To specify an authentication domain for MAC authentication users:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Specify an authentication domain for MAC authentication users.

·     (Approach 1) In system view:
mac-authentication domain domain-name

·     (Approach 2) In interface view:

a.     interface interface-type interface-number

b.     mac-authentication domain domain-name

Use either approach.

By default, the system default authentication domain is used for MAC authentication users.

 

Displaying and maintaining MAC authentication

 

Task

Command

Remarks

Display MAC authentication information.

display mac-authentication [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Clear MAC authentication statistics.

reset mac-authentication statistics [ interface interface-list ]

Available in user view

 

MAC authentication configuration examples

Local MAC authentication configuration example

Network requirements

In the network in Figure 1, perform local MAC authentication on port GigabitEthernet 3/1/1 to control Internet access. Make sure that:

·     All users belong to domain aabbcc.net.

·     Local users use their MAC address as the username and password for MAC authentication. The MAC addresses are hyphen separated and in lower case.

·     The access device detects whether a user has gone offline every 180 seconds. When a user fails authentication, the device does not authenticate the user within 180 seconds.

Figure 1 Network diagram

 

Configuration procedure

# Add a local user account, set both the username and password to 00-e0-fc-12-34-56, the MAC address of the user host, and enable LAN access service for the account.

<Device> system-view

[Device] local-user 00-e0-fc-12-34-56

[Device-luser-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56

[Device-luser-00-e0-fc-12-34-56] service-type lan-access

[Device-luser-00-e0-fc-12-34-56] quit

# Configure ISP domain aabbcc.net to perform local authentication for LAN access users.

[Device] domain aabbcc.net

[Device-isp-aabbcc.net] authentication lan-access local

[Device-isp-aabbcc.net] quit

# Enable MAC authentication globally.

[Device] mac-authentication

# Enable MAC authentication on port GigabitEthernet 3/1/1.

[Device] mac-authentication interface GigabitEthernet 3/1/1

# Specify the ISP domain for MAC authentication.

[Device] mac-authentication domain aabbcc.net

# Set the MAC authentication timers.

[Device] mac-authentication timer offline-detect 180

[Device] mac-authentication timer quiet 180

# Configure MAC authentication to use MAC-based accounts. The MAC address usernames and passwords are hyphenated and in lowercase.

[Device] mac-authentication user-name-format mac-address with-hyphen lowercase

Verifying the configuration

# Display MAC authentication settings and statistics.

<Device> display mac-authentication

MAC address authentication is enabled.

User name format is MAC address in lowercase, like xx-xx-xx-xx-xx-xx

Fixed username:mac

Fixed password:not configured          

Offline detect period is 180s

          Quiet period is 180s.

          Server response timeout value is 100s

          The max allowed user number is 1024 per slot

          Current user number amounts to 1

          Current domain is aabbcc.net

Silent Mac User info:

         MAC Addr               From Port           Port Index

Gigabitethernet3/1/1 is link-up

  MAC address authentication is enabled

  Authenticate success: 1, failed: 0

Max number of on-line users is 1024

  Current online user number is 1

    MAC Addr         Authenticate state           AuthIndex

    00e0-fc12-3456   MAC_AUTHENTICATOR_SUCCESS     29

# After the user passes authentication, use the display connection command to display the online user information.

<Device> display connection

 

Index=29  ,Username=00-e0-fc-12-34-56@aabbcc.net

MAC=00e0-fc12-3456

IP=N/A

Ipv6=N/A

 Total 1 connection(s) matched.

RADIUS-based MAC authentication configuration example

Network requirements

As shown in Figure 2, a host connects to port GigabitEthernet 3/1/1 on the access device. The device uses RADIUS servers for authentication, authorization, and accounting.

Perform MAC authentication on port GigabitEthernet 3/1/1 to control Internet access. Make sure that:

·     The device detects whether a user has gone offline every 180 seconds. If a user fails authentication, the device does not authenticate the user within 180 seconds.

·     All MAC authentication users belong to ISP domain 2000 and share the user account aaa with password 1234567890.

Figure 2 Network diagram

 

Configuration procedure

 

 

NOTE:

Make sure that the RADIUS server and the access device can reach each other. Create a shared account for MAC authentication users on the RADIUS server, and set the username aaa and password 1234567890 for the account.

 

# Configure a RADIUS scheme.

<Device> system-view

[Device] radius scheme 2000

[Device-radius-2000] primary authentication 10.1.1.1 1812

[Device-radius-2000] primary accounting 10.1.1.2 1813

[Device-radius-2000] key authentication abc

[Device-radius-2000] key accounting abc

[Device-radius-2000] user-name-format without-domain

[Device-radius-2000] quit

# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting.

[Device] domain 2000

[Device-isp-2000] authentication default radius-scheme 2000

[Device-isp-2000] authorization default radius-scheme 2000

[Device-isp-2000] accounting default radius-scheme 2000

[Device-isp-2000] quit

# Enable MAC authentication globally.

[Device] mac-authentication

# Enable MAC authentication on port GigabitEthernet 3/1/1.

[Device] mac-authentication interface gigabitethernet 3/1/1

# Specify the ISP domain for MAC authentication.

[Device] mac-authentication domain 2000

# Set the MAC authentication timers.

[Device] mac-authentication timer offline-detect 180

[Device] mac-authentication timer quiet 180

# Specify username aaa and password 1234567890 for the account shared by MAC authentication users.

[Device] mac-authentication user-name-format fixed account aaa password simple 1234567890

Verifying the configuration

# Display MAC authentication settings and statistics.

<Device> display mac-authentication

MAC address authentication is enabled.

User name format is fixed account

 Fixed username:aaa

 Fixed password:1234567890

          Offline detect period is 180s

          Quiet period is 180s.

          Server response timeout value is 100s

          The max allowed user number is 1024 per slot

          Current user number amounts to 1

          Current domain is 2000

Silent Mac User info:

         MAC Addr               From Port           Port Index

Gigabitethernet3/1/1 is link-up

  MAC address authentication is enabled

  Authenticate success: 1, failed: 0

  Max number of on-line users is 1024

Current online user number is 1

    MAC Addr         Authenticate state           AuthIndex

00e0-fc12-3456   MAC_AUTHENTICATOR_SUCCESS     29

# After a user passes MAC authentication, use the display connection command to display online user information.

<Device> display connection

 

Index=29  ,Username=aaa@2000

MAC=00e0-fc12-3456

IP=N/A

IPv6=N/A

 Total 1 connection(s) matched.