Chapter 1 MAC Authentication Configuration
MAC authentication provides a way for
authenticating users based on ports and MAC addresses, without requiring any
client software to be installed on the hosts. Once detecting a new MAC address,
it initiates the authentication process. During authentication, the user does
not need to enter username or password manually.
For S3100 Series Ethernet switches, MAC authentication
can be implemented locally or on a RADIUS server.
After determining the authentication method,
users can select one of the following types of user name as required:
l
MAC address mode, where the MAC address of a
user serves as both the user name and the password.
l
Fixed mode, where user names and passwords are
configured on a switch in advance. In this case, the user name, the password, and
the limits on the total number of user names are the matching criterion for
successful authentication. For details, refer to AAA of this manual for information
about local user attributes.
When authentications are performed on a
RADIUS server, the switch serves as a RADIUS client and completes MAC
authentication in combination of the RADIUS server.
l
In MAC address mode, the switch sends the MAC
addresses detected to the RADIUS server as both the user names and passwords.
l
In fixed mode, the switch sends the user name
and password previously configured for the user to the RADIUS server for
authentication.
A user can access a network upon passing
the authentication performed by the RADIUS server.
When authentications are performed locally,
users are authenticated by switches. In this case,
l
In MAC address mode, the local user name to be
configured is the MAC address of an access user. Hyphens must or must not be
included depending on the format configured with the mac-authentication authmode
usernameasmacaddress usernameformat command; otherwise, the authentication
will fail.
l
In fixed mode, all users’ MAC addresses
are automatically mapped to the configured local passwords and usernames.
l
The service type of a local user needs to be
configured as lan-access.
The following timers function in the
process of MAC authentication:
l
Offline detect timer: At this interval, the switch
checks to see whether an online user has gone offline. Once detecting that a
user becomes offline, the switch sends a stop-accounting notice to the RADIUS
server.
l
Quiet timer: Whenever a user fails MAC
authentication, the switch does not initiate any MAC authentication of the user
during a period defined by this timer.
l
Server timeout timer: During authentication of a
user, if the switch receives no response from the RADIUS server in this period,
it assumes that its connection to the RADIUS server has timed out and forbids
the user from accessing the network.
When a user fails MAC authentication, the
MAC address becomes a quiet MAC address, which means that any packets from the
MAC address will be discarded simply by the switch until the quiet timer
expires. This prevents an invalid user from being authenticated repeatedly in a
short time.
Caution:
l
If the quiet MAC is the same as the static MAC
configured or an authentication-passed MAC, then the quiet function is not
effective.
l
The S3100 series Ethernet switches support quiet
MAC function on ports.
1.3 Configuring Basic MAC Authentication Functions
Table 1-1 Configure basic MAC
authentication functions
|
Operation
|
Command
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enable MAC
authentication globally
|
mac-authentication
|
Required
Disabled
by default
|
|
Enable MAC
authentication for the specified port(s) or the current port
|
In system
view
|
mac-authentication
interface interface-list
|
Use either
method
Disabled
by default
|
|
In interface
view
|
interface
interface-type interface-number
|
|
mac-authentication
|
|
quit
|
|
Set the user
name in MAC address mode for MAC authentication
|
mac-authentication
authmode usernameasmacaddress [ usernameformat
{ with-hyphen | without-hyphen } { lowercase |
uppercase } | fixedpassword password ]
|
Optional
By
default, the MAC address of a user is used as the user name.
|
|
Set the
user name in fixed mode for MAC authentication
|
Set the
user name in fixed mode for MAC authentication
|
mac-authentication
authmode usernamefixed
|
Optional
By
default, the user name is “mac” and no password is configured.
|
|
Configure the
user name
|
mac-authentication authusername username
|
|
Configure the
password
|
mac-authentication
authpassword password
|
|
Specify an
ISP domain for MAC authentication
|
mac-authentication domain isp-name
|
Required
The
default ISP domain (default domain) is used by default.
|
|
Configure
the MAC authentication timers
|
mac-authentication timer { offline-detect offline-detect-value
| quiet quiet-value | server-timeout server-timeout-value
}
|
Optional
The default
timeout values are as follows:
300
seconds for offline detect timer;
60 seconds
for quiet timer; and
100
seconds for server timeout timer
|
|
|
|
|
|
Caution:
l
If MAC authentication is enabled on a port, you
cannot configure the maximum number of dynamic MAC address entries for that
port (through the mac-address max-mac-count command), and vice versa.
l
If MAC authentication is enabled on a port, you
cannot configure port security (through the port-security enable command)
on that port, and vice versa.
l
You can configure MAC authentication on a port before
enabling it globally. However, the configuration will not take effect unless
MAC authentication is enabled globally.
Table 1-2
MAC address authentication
enhanced function configuration tasks
Different from
Guest VLANs described in the 802.1x and System-Guard manual, Guest VLANs
mentioned in this section refer to Guests VLANs dedicated to MAC address
authentication.
After completing configuration tasks in 1.3 Configuring
Basic MAC Authentication Functions for a switch, this switch can
authenticate access users according to their MAC addresses or according to
fixed user names and passwords. The switch will not learn MAC addresses of the
clients failing in the authentication into its local MAC address table, thus
prevent illegal users from accessing the network.
In some cases, if the clients failing in
the authentication are required to access some restricted resources in the
network (such as the virus library update server), you can use the Guest VLAN.
You can configure a Guest VLAN for each
port of the switch. When a client connected to a port fails in MAC address
authentication, this port will be added into the Guest VLAN automatically. The
MAC address of this client will also be learned into the MAC address table of
the Guest VLAN, and thus the user can access the network resources of the Guest
VLAN.
After a port is added to a Guest VLAN, the
switch will re-authenticate the first access user of this port (namely, the
first user whose unicast MAC address is learned by the switch) periodically. If
this user passes the re-authentication, this port will exit the Guest VLAN, and
thus the user can access the network normally.
Caution:
l
Guest VLANs are implemented in the mode of
adding a port to a VLAN. For example, when multiple users are connected to a
port, if the first user fails in the authentication, the other users can access
only the contents of the Guest VLAN. The switch will re-authenticate only the
first user accessing this port, and the other users cannot be authenticated
again. Thus, if more than one client is connected to a port, you cannot
configure a Guest VLAN for this port.
l
After users that are connected to an existing
port failed to pass authentication, the switch adds the port to the Guest VLAN.
Therefore, the Guest VLAN can separate unauthenticated users on an access port.
When it comes to a trunk port or a hybrid port, if a packet itself has a VLAN
tag and be in the VLAN that the port allows to pass, the packet will be
forwarded perfectly without the influence of the Guest VLAN. That is, packets
can be forwarded to the VLANs other than the Guest VLAN through the trunk port
and the hybrid port, even users fail to pass authentication.
Table 1-3 Configure a Guest VLAN
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type interface-number
|
—
|
|
Configure the Guest VLAN for the current
port
|
mac-authentication guest-vlan vlan-id
|
Required
By default, no Guest VLAN is configured
for a port by default.
|
|
Return to system view
|
quit
|
—
|
|
Configure the interval at which the
switch re-authenticates users in Guest VLANs
|
mac-authentication timer
guest-vlan-reauth interval
|
Optional
By default, the switch re-authenticates
the users in Guest VLANs at the interval of 30 seconds by default.
|
Caution:
l
If more than one client are connected to a port,
you cannot configure a Guest VLAN for this port.
l
When a Guest VLAN is configured for a port, only
one MAC address authentication user can access the port. Even if you set the
limit on the number of MAC address authentication users to more than one, the configuration
does not take effect.
l
The undo vlan command cannot be used to remove
the VLAN configured as a Guest VLAN. If you want to remove this VLAN, you must
remove the Guest VLAN configuration for it. Refer to the VLAN module in this
manual for the description on the undo vlan command.
l
Only one Guest VLAN can be configured for a
port, and the VLAN configured as the Guest VLAN must be an existing VLAN.
Otherwise, the Guest VLAN configuration does not take effect. If you want to
change the Guest VLAN for a port, you must remove the current Guest VLAN and
then configure a new Guest VLAN for this port.
l 802.1x authentication cannot be enabled for a port configured with a
Guest VLAN.
l
The Guest VLAN function for MAC authentication
does not take effect when port security is enabled.
You can configure the maximum number of MAC
address authentication users for a port in order to control the maximum number
of users accessing a port. After the number of access users has exceeded the
configured maximum number, the switch will not trigger MAC address
authentication for subsequent access users, and thus these subsequent access
users cannot access the network normally.
Table 1-4 Configure the maximum number
of MAC address authentication users allowed to access a port
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type interface-number
|
—
|
|
Configure the maximum number of MAC
address authentication users allowed to access a port
|
mac-authentication max-auth-num user-number
|
Required
By default, the maximum number of MAC
address authentication users allowed to access a port is 256.
|
Caution:
l
If both the limit on the number of MAC address
authentication users and the limit on the number of users configured in the
port security function are configured for a port, the smaller value of the two
configured limits is adopted as the maximum number of MAC address
authentication users allowed to access this port. Refer to the Port Security
manual for the description on the port security function.
l
You cannot configure the maximum number of MAC
address authentication users for a port if any user connected to this port is
online.
You can configure whether to enable the quiet
MAC function on a port. When this function is enabled, the MAC address
connected to this port will be set as a quiet MAC address if its authentication
fails. When this function is disabled, the MAC address will not become quiet no
matter whether the authentication is failed.
Table 1-5
Configure the quiet MAC function on a port
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Eneter Ethernet port view
|
interface interface-type
interface-number
|
—
|
|
Configure quiet MAC function on the port
|
mac-authenticiaon intrusion-mode block-mac
enable
|
Required
Enabled by default.
|
1.5 Displaying and Debugging MAC Authentication
After the above configuration, you can execute
the display command in any view to display system running of MAC
Authentication configuration, and to verify the effect of the configuration.
You can execute the reset command in user view to clear the statistics
of MAC Authentication.
Table 1-6 Display
and debug MAC Authentication
|
Operation
|
Command
|
Description
|
|
Display global or on-port information
about MAC authentication
|
display mac-authentication [ interface interface-list ]
|
Available in any view
|
|
Clear the statistics of global or on-port
MAC authentication
|
reset mac-authentication statistics [ interface interface-type interface-number ]
|
Available in user view
|
I. Network requirements
As illustrated in Figure 1-1,
a supplicant is connected to the switch through port Ethernet 1/0/2.
l
MAC authentication is required on port Ethernet 1/0/2
to control user access to the Internet.
l
All users belong to domain aabbcc.net. The
authentication performed is locally and the MAC address of the PC (00-0d-88-f6-44-c1)
is used as both the user name and password.
II. Network Diagram
Figure 1-1 Network diagram for MAC authentication configuration
III. Configuration Procedure
# Enable MAC authentication on port Ethernet
1/0/2.
<Sysname> system-view
[Sysname] mac-authentication
interface Ethernet 1/0/2
# Set the user name in MAC address mode for
MAC authentication, requiring hyphened lowercase MAC addresses as the usernames
and passwords.
[Sysname] mac-authentication authmode
usernameasmacaddress usernameformat with-hyphen lowercase
# Add a local user.
l
Specify the user name and password.
[Sysname] local-user 00-0d-88-f6-44-c1
[Sysname-luser-00-0d-88-f6-44-c1]
password simple 00-0d-88-f6-44-c1
l
Set the service type to “lan-access”.
[Sysname-luser-00-0d-88-f6-44-c1]
service-type lan-access
[Sysname-luser-00-0d-88-f6-44-c1]
quit
# Add an ISP domain named aabbcc.net.
[Sysname] domain aabbcc.net
New Domain added.
# Specify to perform local authentication.
[Sysname-isp-aabbcc.net] scheme local
[Sysname-isp-aabbcc.net] quit
# Specify aabbcc.net
as the ISP domain for MAC authentication
[Sysname] mac-authentication domain
aabbcc.net
# Enable MAC authentication
globally (This is usually the last step in configuring access control related
features. Otherwise, a user may be denied of access to the networks because of incomplete
configuaration.)
[Sysname] mac-authentication
After doing so, your MAC authentication configuration will take effect immediately. Only users with the MAC address of 00-0d-88-f6-44-c1 are allowed to access
the Internet through port Ethernet 1/0/2.
