Login
- Table of Contents
-
- 09-Security Configuration Examples
- 01-AAA Configuration Examples
- 02-802.1X Configuration Examples
- 03-MAC Authentication Configuration Examples
- 04-Portal Configuration Examples
- 05-Port Security Configuration Examples
- 06-SSH Configuration Examples
- 07-Attack Protection Configuration Examples
- 08-IP Source Guard Configuration Examples
- 09-ARP Attack Protection Configuration Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-MAC Authentication Configuration Examples | 384.39 KB |
Example: Configuring local MAC authentication
Applicable hardware and software versions
Example: Configuring MAC authentication with ACL assignment
Introduction
The following information provides examples for configuring MAC authentication to ensure network access security.
Prerequisites
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of MAC authentication.
Example: Configuring local MAC authentication
Network configuration
As shown in Figure 1, the device performs local MAC authentication on Ten-GigabitEthernet 1/0/1 to control Internet access of users.
Configure the device to meet the following requirements:
· Detect whether a user has gone offline every 180 seconds.
· Deny a user for 180 seconds if the user fails MAC authentication.
· Authenticate all users in ISP domain bbb.
· Use the MAC address of each user as both the username and password for authentication. The MAC addresses are in hexadecimal notation with hyphens, and letters are in lower case. In this example, both the username and password are 08-00-27-00-98-d2.
Applicable hardware and software versions
The following matrix shows the hardware and software versions to which this configuration example is applicable:
|
Hardware |
Software version |
|
S9850-G switch series |
Release 6010P03 and later |
|
S6850-G switch series S6805-G switch series |
Release 6010P03 and later |
|
S6530X switch series |
Release 8108P22 and later |
|
S5590-HI switch series |
Release 6010P03 and later |
|
S5590-EI switch series S5500V3-HI switch series |
Release 6010P03 and later |
|
S6520X-EI-G switch series S6520XP-EI-G switch series |
Release 7748 and later |
|
S5590XP-HI-G switch series |
Release 7748 and later |
|
S5560-EI-G switch series |
Release 7748 and later |
|
S5130S-EI-G switch series |
Release 7748 and later |
|
S5500-D-G switch series S5100-D-G switch series |
Release 6010P03 and later |
|
S5130S-HI-G switch series |
Release 6010P03 and later |
|
S5130S-EI-G switch series (except S5130S-30C-EI-G and S5130S-54C-EI-G switches) |
Release 6010P03 and later |
|
S5130S-30C-EI-G switch S5130S-54C-EI-G switch |
Release 7748 and later |
Restrictions and guidelines
· To avoid valid users from being blocked, do not enable MAC authentication globally before you finish all settings.
· When you create a local user, the username and password must match the user account policy for MAC authentication. If MAC-based accounts are used, make sure the username and password of each user account are the same as the MAC address of the corresponding MAC authentication user.
Procedures
# Add a network access user, set both the username and password to the MAC address of the host, and allow the user to use the LAN access service.
<Device> system-view
[Device] local-user 08-00-27-00-98-d2 class network
[Device-luser-network-08-00-27-00-98-d2] password simple 08-00-27-00-98-d2
[Device-luser-network-08-00-27-00-98-d2] service-type lan-access
[Device-luser-network-08-00-27-00-98-d2] quit
# Configure ISP domain bbb to use local authentication for LAN users.
[Device] domain bbb
[Device-isp-bbb] authentication lan-access local
[Device-isp-bbb] quit
# Specify ISP domain bbb as the global MAC authentication domain.
[Device] mac-authentication domain bbb
# Configure MAC authentication timers.
[Device] mac-authentication timer offline-detect 180
[Device] mac-authentication timer quiet 180
# Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in hexadecimal notation with hyphens, and letters are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication on interface Ten-GigabitEthernet 1/0/1.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] mac-authentication
[Device-Ten-GigabitEthernet1/0/1] quit
# Enable MAC authentication globally.
[Device] mac-authentication
Verifying the configuration
# Display MAC authentication settings and statistics.
<Device> display mac-authentication
Global MAC authentication parameters:
MAC authentication : Enabled
Authentication method : PAP
M-LAG member configuration conflict : Unknown
Username format : MAC address in lowercase(xx-xx-xx-xx-xx-xx)
Username : mac
Password : Not configured
MAC range accounts : 0
MAC address Mask Username
Offline detect period : 180 s
Quiet period : 180 s
Server timeout : 100 s
Reauth period : 3600 s
User aging period for critical VLAN : 1000 s
User aging period for guest VLAN : 1000 s
Authentication domain : bbb
HTTP proxy port list : Not configured
HTTPS proxy port list : Not configured
Online MAC-auth wired users : 1
Silent MAC users:
MAC address VLAN ID From port Port index
Ten-GigabitEthernet1/0/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Disabled
Periodic reauth : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : Not configured
Guest VLAN reauthentication : Enabled
Guest VLAN auth-period : 30 s
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Single VLAN
Offline detection : Enabled
Authentication order : Default
User aging : Enabled
Server-recovery online-user-sync : Disabled
Auto-tag feature : Disabled
VLAN tag configuration ignoring : Disabled
Max online users : 4294967295
Authentication attempts : successful 1, failed 0
Current online users : 1
MAC address Auth state
0800-2700-98d2 Authenticated
Configuration files
#
mac-authentication
mac-authentication timer offline-detect 180
mac-authentication timer quiet 180
mac-authentication domain bbb
mac-authentication user-name-format mac-address with-hyphen lowercase
domain bbb
authentication lan-access local
#
local-user 08-00-27-00-98-d2 class network
password cipher $c$3$rTXB/eL1h+bXc/t2nyQOrhDMC0PWfyiPb93BqMCK+JFYwvn5
service-type lan-access
authorization-attribute user-role network-operator
#
interface Ten-GigabitEthernet1/0/1
mac-authentication
#
Example: Configuring MAC authentication with ACL assignment
Network configuration
As shown in Figure 2:
· Configure the device to use the RADIUS servers to perform authentication, authorization, and accounting for the user on the host that is connected to Ten-GigabitEthernet 1/0/1.
· Enable MAC authentication on Ten-GigabitEthernet 1/0/1 to control Internet access.
· Use the MAC address of the host as both the username and password for MAC authentication. The MAC address is in hexadecimal notation with hyphens, and letters are in lower case.
· Use an ACL to deny the user to access the FTP server at 10.0.0.1 after the user passes authentication.
IMC acts as the RADIUS servers.
Analysis
· For the device to use IMC as the RADIUS servers for user authentication, authorization, and accounting, perform the following tasks on IMC:
a. Add the device to IMC as an access device.
b. Add an access policy.
c. Add an access service and specify the access policy in the access service.
d. Add an access user and specify the access service for the access user.
· For the device to perform RADIUS-based authentication, authorization, and accounting for the MAC authentication access user, configure AAA settings on the device, including ISP domain settings and RADIUS scheme settings.
· To use an ACL to restrict the user's network access behaviors after the user passes authentication, perform the following tasks:
¡ On IMC, specify the ACL number for the user when you add an access policy for the user.
¡ On the device, create the ACL and configure its rules.
Applicable hardware and software versions
The following matrix shows the hardware and software versions to which this configuration example is applicable:
|
Hardware |
Software version |
|
S9850-G switch series |
Release 6010P03 and later |
|
S6850-G switch series S6805-G switch series |
Release 6010P03 and later |
|
S6530X switch series |
Release 8108P22 and later |
|
S5590-HI switch series |
Release 6010P03 and later |
|
S5590-EI switch series S5500V3-HI switch series |
Release 6010P03 and later |
|
S6520X-EI-G switch series S6520XP-EI-G switch series |
Release 7748 and later |
|
S5590XP-HI-G switch series |
Release 7748 and later |
|
S5560-EI-G switch series |
Release 7748 and later |
|
S5130S-EI-G switch series |
Release 7748 and later |
|
S5500-D-G switch series S5100-D-G switch series |
Release 6010P03 and later |
|
S5130S-HI-G switch series |
Release 6010P03 and later |
|
S5130S-EI-G switch series (except S5130S-30C-EI-G and S5130S-54C-EI-G switches) |
Release 6010P03 and later |
|
S5130S-30C-EI-G switch S5130S-54C-EI-G switch |
Release 7748 and later |
Restrictions and guidelines
· To avoid valid users from being blocked, do not enable MAC authentication globally before you finish all settings.
· When you add an access user on IMC, make sure the user account on IMC matches the MAC authentication user account policy on the device. If MAC-based accounts are used, make sure the username and password of each user account are the same as the MAC address of the corresponding MAC authentication user.
· In standard RADIUS protocol, the authentication port on RADIUS servers is UDP port 1812. If an H3C device is used as a RADIUS server, the authentication port on the RADIUS server is UDP port 1645.
Procedures
Configuring the RADIUS server
This example uses IMC PLAT 7.3 (E0506), IMC EIA 7.3 (E0503), and IMC EIP 7.3 (E0503) to describe the procedure.
Adding the device to the IMC Platform as an access device
1. Log in to IMC.
2. Click the User tab.
3. From the navigation pane, select User Access Policy > Access Device Management > Access Device.
4. Click Add.
5. On the page that opens, configure access device parameters.
a. Set the ports for authentication and accounting to 1812 and 1813, respectively.
b. Select H3C (General) from the Access Device Type list.
c. Set the shared key to expert for secure authentication and accounting communication.
d. Select an access device from the device list or manually add an access device. In this example, the IP address of the access device is 10.1.1.2.
e. Use the default values for other parameters.
f. Click OK.
The IP address of the access device specified on IMC must be the same as the source IP address of the RADIUS packets sent from the device. On the device, the source IP address is chosen in the following order:
a. IP address specified by using the nas-ip command.
b. IP address specified by using the radius nas-ip command.
c. IP address of the outbound interface (the default).
In this example, the device uses the IP address of the outbound interface as the source IP address of RADIUS packets.
Figure 3 Adding an access device
Adding an access policy
1. Click the User tab.
2. From the navigation pane, select User Access Policy > Access Policy.
3. Click Add.
4. On the page that opens, configure access policy parameters.
a. Enter access policy name MACauth.
b. Select Deploy ACL and manually enter ACL number 3000.
c. Configure other parameters as needed.
d. Click OK.
Figure 4 Adding an access policy
Adding an access service
1. Click the User tab.
2. From the navigation pane, select User Access Policy > Access Service.
3. Click Add.
4. On the page that opens, configure access service parameters.
a. Enter service name MACauth Services and set the service suffix to 2000. The service suffix is the authentication domain for the MAC authentication user.
|
|
IMPORTANT: With the service suffix configured, you must configure the device to send usernames that include the domain name to the RADIUS servers. |
b. Select MACauth from the Default Access Policy list.
c. Configure other parameters as needed.
d. Click OK.
Figure 5 Adding an access service
Adding an access user
1. Click the User tab.
2. From the navigation pane, select Access User > Access User.
3. Click Add.
4. On the page that opens, configure access user parameters.
a. Select the user or add a user named test.
b. Enter account name d4-85-64-be-c6-3e and password d4-85-64-be-c6-3e.
c. Select MACauth Services in the Access Service area.
d. Configure other parameters as needed.
e. Click OK.
Figure 6 Adding an access user
Configuring the device
1. Configure advanced ACL 3000 to deny packets destined for 10.0.0.1.
<Device> system-view
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule 0 deny ip destination 10.0.0.1 0
[Device-acl-ipv4-adv-3000] quit
2. Configure RADIUS-based MAC authentication:
# Configure a RADIUS scheme.
|
|
IMPORTANT: With the service suffix configured on IMC, you must configure the device to send usernames that include the domain name to the RADIUS servers. By default, the device includes the domain name in the usernames sent to a RADIUS server. |
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication simple expert
[Device-radius-2000] key accounting simple expert
[Device-radius-2000] user-name-format with-domain
[Device-radius-2000] quit
# Create ISP domain bbb and configure the ISP domain to use RADIUS scheme 2000 for user authentication, authorization, and accounting.
[Device] domain bbb
[Device-isp-bbb] authentication default radius-scheme 2000
[Device-isp-bbb] authorization default radius-scheme 2000
[Device-isp-bbb] accounting default radius-scheme 2000
[Device-isp-bbb] quit
# Specify ISP domain bbb as the global MAC authentication domain.
[Device] mac-authentication domain bbb
# Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in hexadecimal notation with hyphens, and letters are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication on interface Ten-GigabitEthernet 1/0/1.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] mac-authentication
[Device-Ten-GigabitEthernet1/0/1] quit
# Enable MAC authentication globally.
[Device] mac-authentication
Verifying the configuration
# Display MAC authentication settings and statistics.
<Device> display mac-authentication
Global MAC authentication parameters:
MAC authentication : Enable
Authentication method : PAP
M-LAG member configuration conflict : Unknown
Username format : MAC address in lowercase(xx-xx-xx-xx-xx-xx)
Username : mac
Password : Not configured
Offline detect period : 300 s
Quiet period : 60 s
Server timeout : 100 s
Reauth period : 3600 s
User aging period for critical VLAN : 1000 s
User aging period for guest VLAN : 1000 s
Authentication domain : bbb
HTTP proxy port list : Not configured
HTTPS proxy port list : Not configured
Online MAC-auth wired users : 1
Silent MAC users:
MAC address VLAN ID From port Port index
Ten-GigabitEthernet1/0/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Disabled
Periodic reauth : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : Not configured
Guest VLAN reauthentication : Enabled
Guest VLAN auth-period : 30 s
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Single VLAN
Offline detection : Enabled
Authentication order : Default
User aging : Enabled
Server-recovery online-user-sync : Enabled
Auto-tag feature : Disabled
VLAN tag configuration ignoring : Disabled
Max online users : 4294967295
Authentication attempts : successful 1, failed 0
Current online users : 1
MAC address Auth state
0800-2712-3456 Authenticated
# Verify that you cannot ping the FTP server from the host.
C:\>ping 10.0.0.1
Pinging 10.0.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.0.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The output shows that ACL 3000 has been assigned to Ten-GigabitEthernet 1/0/1 to deny access to the FTP server.
Configuration files
#
acl advanced 3000
rule 0 deny ip destination 10.0.0.1 0
#
radius scheme 2000
primary authentication 10.1.1.1
primary accounting 10.1.1.2
key authentication cipher $c$3$PJM7Px3rbC96Kvh8RyFWHMLatExagQ==
key accounting cipher $c$3$rr7AO7ZuSNZ+b+deWrfb/Qg1JPc97g==
user-name-format with-domain
#
domain bbb
authentication default radius-scheme 2000
authorization default radius-scheme 2000
accounting default radius-scheme 2000
#
mac-authentication domain bbb
#
mac-authentication user-name-format mac-address with-hyphen lowercase
#
interface Ten-GigabitEthernet1/0/1
mac-authentication
#
mac-authentication
#
