MAC authentication provides a way for
authenticating users based on ports and MAC addresses, without requiring any
client software to be installed on the hosts. Once detecting a new MAC address,
it initiates the authentication process without requiring any username or
password.
Currently, the device supports two MAC authentication
modes:
l
Remote Authentication Dial-In User Service (RADIUS)
based MAC authentication
l
Local MAC authentication
For detailed information about RADIUS
authentication and local authentication, refer to AAA RADIUS HWTACACS
Configuration.
After determining the authentication mode
to be used, you can choose the username and password type for MAC
authentication, which can be:
l
MAC address: The MAC address of a user serves as
both the username and password for authentication.
l
Fixed username: All users use the same
preconfigured username and password for authentication, regardless of their MAC
addresses.
Figure 1-1
Network diagram for local MAC authentication
configuration
As illustrated in Figure 1-1,
a host is connected to the switch through port GigabitEthernet 2/0/1.
l
Local MAC authentication is required on every
port to control user access to the Internet.
l
All users belong to domain aabbcc.net.
l
Set the offline detect timer to 180 seconds and
the quiet timer to 3 minutes.
l
A local user uses aaa as the username and
123456 as the password for authentication.
|
Product series
|
Software version
|
Hardware version
|
|
S3610
Series Ethernet Switches
|
Release
5301
|
All
versions
|
|
S5510 Series Ethernet Switches
|
Release 5301
|
All versions
|
|
S5500-SI Series Ethernet Switches
|
Release 1207
|
All versions except S5500-20TP-SI
|
|
Release 1301
|
S5500-20TP-SI
|
|
S5500-EI Series Ethernet Switches
|
Release 2102
|
All versions
|
|
S7500E Series Ethernet Switches
|
Release 6100
|
All versions
|
1)
Configure MAC authentication on the switch.
# Add a local user.
<Switch>
system-view
[Switch]
local-user aaa
[Switch-luser-aaa]
password simple 123456
[Switch-luser-aaa]
service-type lan-access
[Switch-luser-aaa]
quit
# Configure ISP domain aabbcc.net,
and specify to perform local authentication.
[Switch] domain
aabbcc.net
[Switch-isp-aabbcc.net]
authentication lan-access local
[Switch-isp-aabbcc.net]
quit
# Enable MAC authentication globally.
[Switch] mac-authentication
# Enable MAC authentication for port GigabitEthernet
2/0/1.
[Switch]
mac-authentication interface GigabitEthernet 2/0/1
# Specify the ISP domain for MAC
authentication.
[Switch] mac-authentication
domain aabbcc.net
# Set the MAC authentication timers.
[Switch] mac-authentication
timer offline-detect 180
[Switch] mac-authentication
timer quiet 180
# Specify the MAC authentication to use
fixed username aaa and password 123456 to authenticate supplicants.
[Switch]
mac-authentication user-name-format fixed account aaa password simple 123456
#
system-view
local-user
aaa
password simple 123456
service-type
lan-access
#
domain
aabbcc.net
authentication
lan-access local
#
mac-authentication
mac-authentication
timer offline-detect 180
mac-authentication
timer quiet 180
mac-authentication
domain aabbcc.net
mac-authentication
user-name-format fixed account aaa password simple 123456
#
interface GigabitEthernet2/0/1
mac-authentication
#
You need to specify the service type as lan-access
for local users.
Figure 1-2 Network diagram for RADIUS based MAC authentication configuration
As illustrated in Figure 1-2, a host
is connected to the switch through port Ethernet 2/0/1. The switch
authenticates the host through the RADIUS server.
l
MAC authentication is required on each port to
control user access to the Internet.
l
Set the offline detect timer to 180 seconds and
the quiet timer to 3 minutes.
|
Product series
|
Software version
|
Hardware version
|
|
S3610
Series Ethernet Switches
|
Release
5301
|
All
versions
|
|
S5510 Series Ethernet Switches
|
Release 5301
|
All versions
|
|
S5500-SI Series Ethernet Switches
|
Release 1207
|
All versions except S5500-20TP-SI
|
|
Release 1301
|
S5500-20TP-SI
|
|
S5500-EI Series Ethernet Switches
|
Release 2102
|
All versions
|
|
S7500E Series Ethernet Switches
|
Release 6100
|
All versions
|
1)
Configure MAC authentication on the switch
# Configure the IP addresses of the
interfaces. (Omitted)
# Configure a RADIUS scheme.
<Switch>
system-view
[Switch]
radius scheme 2000
[Switch-radius-2000]
primary authentication 10.1.1.1 1812
[Switch-radius-2000]
primary accounting 10.1.1.2 1813
[Switch-radius-2000]
key authentication abc
[Switch-radius-2000]
key accounting abc
[Switch-radius-2000]
user-name-format without-domain
[Switch-radius-2000]
quit
# Create domain 2000 and specify the AAA
schemes for the ISP domain.
[Switch] domain
2000
[Switch-isp-2000]
authentication default radius-scheme 2000
[Switch-isp-2000]
authorization default radius-scheme 2000
[Switch-isp-2000]
accounting default radius-scheme 2000
[Switch-isp-2000]
quit
# Enable MAC authentication globally.
[Switch] mac-authentication
# Enable MAC authentication for port Ethernet
2/0/1.
[Switch]
mac-authentication interface Ethernet 2/0/1
# Specify the ISP domain for MAC authentication.
[Switch] mac-authentication
domain 2000
# Set the MAC authentication timers.
[Switch] mac-authentication
timer offline-detect 180
[Switch] mac-authentication
timer quiet 180
# Specify the MAC authentication to use
fixed username aaa and password 123456 to authenticate supplicants.
[Switch]
mac-authentication user-name-format fixed account aaa password simple 123456
#
radius
scheme 2000
primary
authentication 10.1.1.1
primary
accounting 10.1.1.2
key
authentication abc
key
accounting abc
user-name-format
without-domain
#
domain 2000
authentication
default radius-scheme 2000
authorization
default radius-scheme 2000
accounting
default radius-scheme 2000
#
mac-authentication
mac-authentication
timer offline-detect 180
mac-authentication
timer quiet 180
mac-authentication
domain 2000
mac-authentication
user-name-format fixed account aaa password simple 123456
#
interface
Ethernet2/0/1
mac-authentication
#
l
The username and password configured on the
RADIUS server must be consistent with those configured on the switch for MAC
authentication.
l
The authentication and accounting keys
configured on the RADIUS server must be consistent with those configured on the
switch. Otherwise, authentication will fail.
Figure 1-3 Network diagram for ACL
assignment configuration
As shown in Figure 1-3, a host is connected to port
Ethernet 2/0/1 of the switch and must pass MAC authentication to access the
Internet. An RADIUS server cluster takes the responsibility of authentication.
An FTP server with the IP address 10.0.0.1 is on the Internet.
l
On port Ethernet 2/0/1 of the switch, enable MAC
authentication and configure ACL 3000.
l
Configure the authentication server to assign
ACL 3000 to the switch as the authorization ACL after the host passes
authentication, so that the host can access the Internet but cannot access the
FTP server.
|
Product series
|
Software version
|
Hardware version
|
|
S3610
Series Ethernet Switches
|
Release
5301
|
All
versions
|
|
S5510 Series Ethernet Switches
|
Release 5301
|
All versions
|
|
S5500-SI Series Ethernet Switches
|
Release 1207
|
All versions except S5500-20TP-SI
|
|
Release 1301
|
S5500-20TP-SI
|
|
S5500-EI Series Ethernet Switches
|
Release 2102
|
All versions
|
|
S7500E Series Ethernet Switches
|
Release 6100
|
All versions
|
1)
Configure MAC authentication on the switch
# Configure the IP addresses of the
interfaces. (Omitted)
# Configure the RADIUS scheme.
<Switch>
system-view
[Switch]
radius scheme 2000
[Switch-radius-2000]
primary authentication 10.1.1.1 1812
[Switch-radius-2000]
primary accounting 10.1.1.2 1813
[Switch-radius-2000]
key authentication abc
[Switch-radius-2000]
key accounting abc
[Switch-radius-2000]
user-name-format without-domain
[Switch-radius-2000]
quit
# Create an ISP domain and specify the AAA
schemes for the ISP domain.
[Switch]
domain 2000
[Switch-isp-2000]
authentication default radius-scheme 2000
[Switch-isp-2000]
authorization default radius-scheme 2000
[Switch-isp-2000]
accounting default radius-scheme 2000
[Switch-isp-2000]
quit
# Configure ACL 3000 to deny packets
destined for 10.0.0.1.
[Switch] acl
number 3000
[Switch-acl-adv-3000]
rule 0 deny ip destination 10.0.0.1 0
[Switch-acl-adv-3000]
quit
# Enable MAC authentication globally.
[Switch] mac-authentication
# Enable MAC authentication for port
Ethernet 2/0/1.
[Switch]
mac-authentication interface Ethernet 2/0/1
# Specify the ISP domain for MAC
authentication.
[Switch] mac-authentication
domain 2000
# Set the MAC authentication timers.
[Switch] mac-authentication
timer offline-detect 180
[Switch] mac-authentication
timer quiet 180
# Specify MAC authentication to use a MAC
address with hyphen as the username and password to authenticate supplicants.
[Switch]
mac-authentication user-name-format mac-address with-hyphen
#
radius
scheme 2000
primary
authentication 10.1.1.1
primary
accounting 10.1.1.2
key
authentication abc
key
accounting abc
user-name-format
without-domain
#
domain 2000
authentication
default radius-scheme 2000
authorization
default radius-scheme 2000
accounting
default radius-scheme 2000
#
acl number
3000
rule 0
deny ip destination 10.0.0.1 0
#
mac-authentication
mac-authentication
timer offline-detect 180
mac-authentication
timer quiet 180
mac-authentication
domain 2000
mac-authentication
user-name-format mac-address with-hyphen
#
interface
Ethernet2/0/1
mac-authentication
#
l
The authentication and accounting keys configured
on the RADIUS server must be consistent with those configured on the switch.
Otherwise, the MAC authentication will fail.
l
The username and password type configured on the
RADIUS server must be consistent with that configured on the switch for MAC
authentication.
l
The letters in the MAC address that serves as
the authentication username and password must be in lowercase.
