Chapter 1 Centralized
MAC Address Authentication Configuration
Centralized MAC address authentication is
port-/MAC address-based authentication used to control user permissions to access
a network. Centralized MAC address authentication can be performed without
client-side software. With this type of authentication employed, a switch
authenticates a user upon detecting the MAC address of the user for the first
time.
Centralized MAC address authentication can
be implemented in the following two modes:
l
MAC address mode, where user MAC servers as both
the user name and the password.
l
Fixed mode, where user names and passwords are
configured on a switch in advance. In this case, a user uses the previously
configured user name and password to log into a switch.
As for S3100-SI series Ethernet switches, authentication
can be performed locally or on a RADIUS server.
1)
When a RADIUS server is used for authentication,
the switch serves as a RADIUS client. Authentication is carried out through the
cooperation of switches and the RADIUS server.
l
In MAC address mode, a switch sends user MAC
addresses detected to the RADIUS server as both user names and passwords. The
rest handling procedures are the same as that of the common RADIUS
authentication.
l
In fixed mode, a switch sends the user name and
password previously configured for the user to be authenticated to the RADIUS
server and inserts the MAC address of the user in the calling-station-id field of
the RADIUS packet. The rest handling procedures are the same as that of the
common RADIUS authentication.
l
A user can access a network upon passing the authentication
performed by the DADIUS server.
2)
When authentications are performed locally, users
are authenticated by switches. In this case,
l
For MAC address mode, you can specify the format
to enter the MAC addresses used as both user name and password by executing
corresponding commands. That is, to specify whether or not MAC addresses are
provided in the hyphened form. The input format should be the same as the
configured format, or else, the authentication will fail.
l
For fixed mode, configure the user names and
passwords as that for fixed mode.
l
The service type of a local user needs to be
configured as lan-access.
The following are centralized MAC address
authentication configuration tasks:
l
Enabling Centralized MAC
Address Authentication Globally
l
Enabling Centralized MAC
Address Authentication for a Port
l
Configuring Centralized
MAC Address Authentication Mode
l
Configuring the ISP Domain
for MAC Address Authentication Users
l
Configuring the Timers Used
in Centralized MAC Address Authentication
1.2.1 Enabling Centralized MAC Address Authentication Globally
Table 1-1 Enable
centralized MAC address authentication
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable centralized MAC address
authentication globally
|
mac-authentication
|
Required
By default, centralized MAC address authentication
is globally disabled.
|
1.2.2 Enabling Centralized MAC Address
Authentication for a Port
You can enable centralized MAC address
authentication for a port in system view or in Ethernet port view.
Table 1-2 Enable centralized MAC address
authentication for a port in system view
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable centralized MAC address
authentication for specified ports
|
mac-authentication interface interface-list
|
Required
By default, centralized MAC address
authentication is disabled on a port.
|
Table 1-3 Enable centralized MAC address
authentication for a port in Ethernet port view
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Enter
Ethernet port view
|
interface
interface-type interface-number
|
—
|
|
Enable
centralized MAC address authentication for the current port
|
mac-authentication
|
Required
By
default, centralized MAC address authentication is disabled on a port.
|
Caution:
The configuration
of the maximum number of learned MAC addresses (refer to the mac-address
max-mac-count command) is unavailable for the ports with centralized MAC
address authentication enabled. Similarly, the centralized MAC address
authentication is unavailable for the ports with the maximum number of learned
MAC addresses configured.
Centralized MAC address authentication for
a port can be configured but does not take effect before global centralized MAC
address authentication is enabled. After global centralized MAC address
authentication is enabled, ports enabled with the centralized MAC address
authentication will perform the authentication immediately.
1.2.3 Configuring Centralized MAC Address Authentication Mode
Table 1-4 Configure
centralized MAC address authentication mode
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Configure centralized MAC address
authentication mode as MAC address mode
|
mac-authentication authmode usernameasmacaddress
[ usernameformat { with-hyphen | without-hyphen
} ]
|
Optional
By default, the MAC address mode is
adopted.
|
|
Configure centralized MAC address
authentication mode as fixed mode
|
mac-authentication authmode usernamefixed
|
Optional
|
|
Set a user name for fixed mode
|
mac-authentication authusername username
|
Required for fixed mode
By default, the user name is mac and no
password is needed.
|
|
Set the password for fixed mode
|
mac-authentication authpassword password
|
Optional
|
1.2.4 Configuring the ISP Domain for MAC
Address Authentication Users
Table 1-5 lists the operations to configure the ISP domain for centralized MAC address authentication users.
Table 1-5 Configure the ISP domain for
MAC address authentication users
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Configure the ISP domain for MAC address
authentication users
|
mac-authentication domain isp-name
|
Required
By default, the “default domain”
is used as the ISP domain.
|
The following timers are used in centralized
MAC address authentication:
l
Offline detect timer, which sets the time
interval for a switch to test whether a user goes offline. Upon detecting a user
is offline, a switch notifies the RADIUS server of the user to trigger the
RADIUS server to stop the accounting on the user.
l
Quiet timer, which sets the quiet period for a
switch. After a user fails to pass the authentication performed by a switch,
the switch quiets for a specific period (the quiet period) before it
authenticates users again.
l
Server timeout timer. During authentication, the
switch prohibits the user from accessing the network through the corresponding port
if the connection between the switch and RADIUS server times out. Now users
still can accept normal authentication when logging in to the switch through
other ports.
Table 1-6 lists the operations to configure the timers used in centralized MAC address authentication.
Table 1-6 Configure the timers used in centralized MAC address authentication
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Configure a timer used in centralized MAC
address authentication
|
mac-authentication timer { offline-detect offline-detect-value
| quiet quiet-value | server-timeout server-timeout-value
}
|
Optional
The default settings of the timers used
in centralized MAC address authentication are as follows:
l
Offline detect timer: 300 seconds
l
Quiet timer: 60 seconds
l
Server timeout timer: 100 seconds
|
Caution:
When both
MAC-authentication and 802.1x function are enabled, the MAC address which was
defined to "quiet" status by MAC-authentication can not pass the
802.1x authentication
After the above configuration, you can execute
the display command in any view to display system running of centralized
MAC address authentication configuration, and to verify the effect of the
configuration. Execute the reset command in user view to clear
centralized MAC address authentication statistics
Table 1-7 Display
and debug centralized MAC address authentication
|
Operation
|
Command
|
Description
|
|
Display global or port information about
centralized MAC address authentication
|
display mac-authentication [ interface interface-list ]
|
This command can be executed in any view.
|
|
Clear the statistics of global or port
centralized MAC address authentication
|
reset mac-authentication statistics [
interface interface-list ]
|
This command is executed in user view
|
Centralized MAC
address authentication configuration is similar to that of 802.1x. In this
example, the differences between the two lie in:
l
Centralized MAC address authentication needs to
be enabled both globally and for port.
l
In MAC address mode, MAC address of locally
authenticated user is used as both user name and password.
l
In MAC address mode, MAC address of user
authenticated by RADIUS server need to be configured as both user name and
password on the RADIUS server.
The following section describes how to
enable centralized MAC address authentication globally and for a port, and how
to configure a local user. For other related configuration, refer to the
configuration examples in “802.1x” Configuration.
# Enable centralized MAC address
authentication for Ethernet 1/0/2 port.
<H3C> system-view
[H3C] mac-authentication interface Ethernet
1/0/2
# Configure centralized MAC address
authentication mode as MAC address mode, and use hyphened MAC addresses as the
user names and passwords for authentication.
[H3C] mac-authentication authmode usernameasmacaddress
userformat with-hyphen
# Add a local user.
l
Configure the user name and password.
[H3C] local-user 00-0f-e2-0f-01-01
[H3C-luser-00-0f-e2-0f-01-01]
password simple 00-0f-e2-0f-01-01
l
Set service type of the local user to lan-access.
[H3C-luser-00-0f-e2-0f-01-01]
service-type lan-access
# Enable centralized MAC address
authentication globally.
[H3C-luser-00-0f-e2-0f-01-01] quit
[H3C] mac-authentication
# Configure the domain name for centralized
MAC address authentication users as aabbcc163.net.
[H3C] mac-authentication domain aabbcc163.net
For domain-related configuration, refer to the
“802.1x” Configuration Example part of this manual.
