Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-MAC Authentication Configuration | 83.25 KB |
Table of Contents
Chapter 1 MAC Authentication Configuration
1.1 MAC Authentication Overview
1.1.1 RADIUS-Based MAC Authentication
1.1.2 Local MAC Authentication
1.2.1 MAC Authentication Timers
1.3 Configuring MAC Authentication
1.3.1 Configuration Prerequisites
1.4 Displaying and Maintaining MAC Authentication
1.5 MAC Authentication Configuration Example
1.5.1 Local MAC Authentication Configuration Example
1.5.2 RADIUS-Based MAC Authentication Configuration Example
Chapter 1 MAC Authentication Configuration
When configuring MAC authentication, go to these sections for information you are interested in:
l Configuring MAC Authentication
l Displaying and Maintaining MAC Authentication
l MAC Authentication Configuration Example
1.1 MAC Authentication Overview
MAC authentication provides a way for authenticating users based on ports and MAC addresses. Once detecting a new MAC address, it initiates the authentication process. MAC authentication requires neither client software to be installed on the hosts, nor any username or password to be provided during authentication.
Currently, the device supports two MAC authentication modes: Remote Authentication Dial-In User Service (RADIUS) based MAC authentication and local MAC authentication. For detailed information about RADIUS authentication and local authentication, refer to AAA RADIUS HWTACACS Configuration of the Security Volume.
MAC authentication supports three username and password types:
l MAC address username and password, where the MAC address of a user serves as both the username and password.
l Fixed username and password, where all users use the same preconfigured username and password for authentication, regardless of the MAC addresses.
l MAC address username and fixed password, where users use their own MAC addresses as the authentication usernames and use the same password preconfigured on the device as the authentication password.
1.1.1 RADIUS-Based MAC Authentication
In RADIUS-based MAC authentication, the device serves as a RADIUS client and requires a RADIUS server to cooperate with it.
l If the MAC address username and password type is adopted, the device forwards a detected MAC address as the username and password to the RADIUS server for authentication of the user.
l If the fixed username and password type is adopted, the device sends the same username and password configured locally to the RADIUS server for authentication of each user.
l If the MAC address username and fixed password type is adopted, the device sends a detected user MAC address and the password configured on the device as the username and password to the RADIUS server for authentication of the user.
If the authentication succeeds, the user will be granted permission to access the network resources.
1.1.2 Local MAC Authentication
In local MAC authentication, the device authenticates users locally and configurations required on the device depend on the username and password type:
l MAC address username and password: Create a local user account for each user, using the MAC address of the user as both the username and password.
l Fixed username and password: Create a single local user account for all users.
l MAC address username and fixed password: Create a local user account for each user, using the MAC address of the user as the username and a fixed password.
1.2 Related Concepts
1.2.1 MAC Authentication Timers
The following timers function in the process of MAC authentication:
l Offline detect timer: At this interval, the device checks to see whether an online user has gone offline. Once detecting that a user becomes offline, the device sends to the RADIUS server a stop accounting notice.
l Quiet timer: Whenever a user fails MAC authentication, the device does not initiate any MAC authentication of the user during such a period.
l Server timeout timer: During authentication of a user, if the device receives no response from the RADIUS server in this period, it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network.
1.2.2 Quiet MAC Address
When a user fails MAC authentication, the MAC address becomes a quiet MAC address, which means that any packets from the MAC address will be discarded by the device until the quiet timer expires. This prevents the device from authenticating an invalid user repeatedly in a short time.
Caution:
If a quiet MAC address is the same as a static MAC address configured or an MAC address that has passed another type of authentication, the quiet function does not take effect.
1.3 Configuring MAC Authentication
1.3.1 Configuration Prerequisites
l Create and configure an ISP domain.
l For local authentication, create the local users and configure the passwords.
l For RADIUS authentication, ensure that a route is available between the device and the RADIUS server and add usernames and passwords on the server.
Caution:
When adding usernames and passwords on the device or server, ensure that:
l The type of username and password must be consistent with that used for MAC authentication.
l All the letters in a MAC address to be used as the username and password must be in lower case.
l The service type of the local users must be configured as lan-access.
1.3.2 Configuration Procedure
Follow these steps to configure centralized MAC authentication:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable MAC authentication globally |
mac-authentication |
Required Disabled by default |
|
Enable MAC authentication for specified ports |
mac-authentication interface interface-list |
Required Disabled by default |
|
interface interface-type interface-number mac-authentication |
||
|
Specify the ISP domain for MAC authentication |
mac-authentication domain isp-name |
Optional The default ISP domain (system) is used by default. |
|
Set the offline detect timer |
mac-authentication timer offline-detect offline-detect-value |
Optional Interval of detecting whether the user is offline 300 seconds by default |
|
Set the quiet timer |
mac-authentication timer quiet quiet-value |
Optional When user authentication fails, the device will be quiet for a period of time before reinitiating the authentication. One minute by default |
|
Set the server timeout timer |
mac-authentication timer server-timeout server-timeout-value |
Optional Timeout timer for the connection to the RADIUS server 100 seconds by default |
|
Configure the username and password for MAC authentication |
mac-authentication user-name-format { fixed { account name | password { cipher | simple } password } | mac-address { with-hyphen | without-hyphen} } |
Optional By default, the user’s source MAC address serves as the username and password. Whether “-“ is necessary in the MAC address depends on the device model. |
|
mac-authentication user-name-format fixed account name password { cipher | simple } password |
& Note:
l You can configure MAC authentication on a specific port before global MAC authentication is enabled, but the configuration will not take effect until global MAC authentication is enabled.
l MAC authentication and 802.1x cannot be enabled on the same port.
l You can neither add a MAC authentication enabled port into an aggregation group, nor enable MAC authentication on a port added into an aggregation group.
1.4 Displaying and Maintaining MAC Authentication
|
To do… |
Use the command… |
Remarks |
|
Display the global MAC authentication information or the MAC authentication information about specified ports |
display mac-authentication [ interface interface-list ] |
Available in any view |
|
Clear the MAC authentication statistics |
Available in user view |
1.5 MAC Authentication Configuration Example
1.5.1 Local MAC Authentication Configuration Example
I. Network requirements
As illustrated in Figure 1-1, a supplicant is connected to the Ethernet switch through port GigabitEthernet 3/1/1.
l MAC authentication is required on every port to control user access to the Internet.
l Set the offline detect timer to 180 seconds and the quiet timer to 3 minutes.
l All users belong to domain aabbcc.net. Use the fixed username aaa and fixed password 123456 for local authentication.
II. Network Diagram
Figure 1-1 Network diagram for local MAC authentication
III. Configuration Procedure
# Add a local user.
<Sysname> system-view
[Sysname] local-user aaa
[Sysname-luser-aaa] password simple 123456
[Sysname-luser-aaa] service-type lan-access
[Sysname-luser-aaa] quit
# Configure ISP domain aabbcc.net, and specify to perform local authentication.
[Sysname] domain aabbcc.net
[Sysname-isp-aabbcc.net] authentication lan-access local
[Sysname-isp-aabbcc.net] quit
# Enable centralized MAC authentication globally.
[Sysname] mac-authentication
# Enable centralized MAC authentication for port GigabitEthernet 3/1/1.
[Sysname] mac-authentication interface GigabitEthernet 3/1/1
# Specify the ISP domain for MAC authentication.
[Sysname] mac-authentication domain aabbcc.net
# Set the centralized MAC authentication timers.
[Sysname] mac-authentication timer offline-detect 180
[Sysname] mac-authentication timer quiet 3
# Configure the fixed username and password for MAC authentication.
[Sysname] mac-authentication user-name-format fixed account aaa password simple 123456
IV. Verify your configuration
# Display global MAC authentication information.
<Sysname> display mac-authentication
MAC address authentication is Enabled.
User name format is fixed account
Fixed username:aaa
Fixed password:123456
Offline detect period is 180s
Quiet period is 3 minute(s).
Server response timeout value is 100s
The max allowed user number is 1024 per slot
Current user number amounts to 0
Current domain is aabbcc.net
Silent Mac User info:
MAC ADDR From Port Port Index
Gigabitethernet3/1/1 is link-up
MAC address authentication is Enabled
Authenticate success: 0, failed: 0
Current online user number is 0
MAC ADDR Authenticate state AuthIndex
1.5.2 RADIUS-Based MAC Authentication Configuration Example
I. Network requirements
As illustrated in Figure 1-2, a host is connected to the switch through port GigabitEthernet 6/2/2. The switch authenticates the host through the RADIUS server cluster.
l MAC authentication is required on every port to control user access to the Internet.
l Set the offline detect timer to 180 seconds and the quiet timer to 3 minutes.
l Adopt the MAC address username and fixed password type, specifying that the MAC address usernames use hyphens (-) and setting the fixed password to 123456.
II. Network diagram
Figure 1-2 Network diagram for RADIUS-based MAC authentication
III. Configuration procedure
1) Configure MAC authentication on the switch
# Configure the IP addresses of the interfaces. (Omitted)
# Configure a RADIUS scheme.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] radius scheme 2000
[Sysname-radius-2000] primary authentication 10.1.1.1 1812
[Sysname-radius-2000] primary accounting 10.1.1.2 1813
[Sysname-radius-2000] key authentication abc
[Sysname-radius-2000] key accounting abc
[Sysname-radius-2000] user-name-format without-domain
[Sysname-radius-2000] quit
# Specify the AAA schemes for the ISP domain.
[Sysname] domain 2000
[Sysname-isp-2000] authentication default radius-scheme 2000
[Sysname-isp-2000] authorization default radius-scheme 2000
[Sysname-isp-2000] accounting default radius-scheme 2000
[Sysname-isp-2000] quit
# Enable MAC authentication globally.
[Sysname] mac-authentication
# Enable MAC authentication for port GigabitEthernet 6/2/2.
[Sysname] mac-authentication interface gigabitethernet 6/2/2
# Specify the ISP domain for MAC authentication.
[Sysname] mac-authentication domain 2000
# Set the MAC authentication timers.
[Sysname] mac-authentication timer offline-detect 180
[Sysname] mac-authentication timer quiet 3
# Specify that the MAC address usernames use hyphens.
[Sysname] mac-authentication user-name-format mac-address with-hyphen
# Configure the fixed password for MAC authentication.
[Sysname] mac-authentication user-name-format fixed password simple 123456
2) Verify the configuration
# Display global MAC authentication information.
<Sysname> display mac-authentication
MAC address authentication is enabled.
User name format is MAC address, like xx-xx-xx-xx-xx-xx
Fixed username: Not configured
Fixed password:123456
Offline detect period is 180s
Quiet period is 3 minute(s).
Server response timeout value is 100s
The max allowed user number is 1024 per slot
Current user number amounts to 1
Current domain is 2000
Silent MAC User info:
MAC Addr From Port Port Index
GigabitEthernet6/2/1 is link-down
MAC address authentication is disabled
Current online user number is 0
MAC Addr Authenticate State Auth Index
GigabitEthernet6/2/2 is link-up
MAC address authentication is enabled
Authenticate success: 1, failed: 0
Current online user number is 1
MAC Addr Authenticate State Auth Index
000f-e212-3456 MAC_AUTHENTICATOR_SUCCESS 29
GigabitEthernet6/2/3 is link-down
MAC address authentication is disabled
Current online user number is 0
MAC Addr Authenticate State Auth Index
