Login
- Table of Contents
-
- H3C S3100-52P Operation Manual-Release 1602(V1.01)
- 00-1Cover
- 00-2Product Overview
- 01-CLI Operation
- 02-Login Operation
- 03-Configuration File Management Operation
- 04-VLAN Operation
- 05-IP Address and Performance Operation
- 06-Voice VLAN Operation
- 07-GVRP Operation
- 08-Port Basic Configuration Operation
- 09-Link Aggregation Operation
- 10-Port Isolation Operation
- 11-Port Security-Port Binding Operation
- 12-DLDP Operation
- 13-MAC Address Table Management Operation
- 14-MSTP Operation
- 15-Static Route Operation
- 16-Multicast Operation
- 17-802.1x and System Guard Operation
- 18-AAA Operation
- 19-Web Authentication Operation
- 20-MAC Address Authentication Operation
- 21-ARP Operation
- 22-DHCP Operation
- 23-ACL Operation
- 24-QoS-QoS Profile Operation
- 25-Mirroring Operation
- 26-Stack-Cluster Operation
- 27-SNMP-RMON Operation
- 28-NTP Operation
- 29-SSH Operation
- 30-File System Management Operation
- 31-FTP-SFTP-TFTP Operation
- 32-Information Center Operation
- 33-System Maintenance and Debugging Operation
- 34-VLAN-VPN Operation
- 35-HWPing Operation
- 36-IPv6 Management Operation
- 37-DNS Operation
- 38-Smart Link-Monitor Link Operation
- 39-Appendix
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 20-MAC Address Authentication Operation | 79.23 KB |
Table of Contents
Chapter 1 MAC Address Authentication Configuration
1.1 MAC Address Authentication Overview
1.1.1 Performing MAC Address Authentication on a RADIUS Server
1.1.2 Performing MAC Address Authentication Locally
1.2.1 MAC Address Authentication Timers
1.3 Configuring Basic MAC Address Authentication Functions
1.4 MAC Address Authentication Enhanced Function Configuration
1.4.1 MAC Address Authentication Enhanced Function Configuration Task List
1.4.2 Configuring a Guest VLAN
1.4.3 Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port
1.5 Displaying and Maintaining MAC Address Authentication Configuration
1.6 MAC Address Authentication Configuration Examples
Chapter 1 MAC Address Authentication Configuration
& Note:
l The configuration of fixed password when setting the user name in MAC address mode for MAC address authentication is added. See Configuring Basic MAC Address Authentication Functions.
l The configuration of MAC address authentication enhanced function is added. See MAC Address Authentication Enhanced Function Configuration.
When configuring MAC address authentication, go to these sections for information you are interested:
l MAC Address Authentication Overview
l Configuring Basic MAC Address Authentication Functions
l MAC Address Authentication Enhanced Function Configuration
l Displaying and Maintaining MAC Address Authentication Configuration
l MAC Address Authentication Configuration Examples
1.1 MAC Address Authentication Overview
MAC address authentication provides a way for authenticating users based on ports and MAC addresses, without requiring any client software to be installed on the hosts. Once detecting a new MAC address, it initiates the authentication process. During authentication, the user does not need to enter username or password manually.
For S3100-52P Ethernet switch, MAC address authentication can be implemented locally or on a RADIUS server.
After determining the authentication method, users can select one of the following types of user name as required:
l MAC address mode, where the MAC address of a user serves as the user name for authentication.
l Fixed mode, where user names and passwords are configured on a switch in advance. In this case, the user name, the password, and the limits on the total number of user names are the matching criterion for successful authentication. For details, refer to AAA of this manual for information about local user attributes.
1.1.1 Performing MAC Address Authentication on a RADIUS Server
When authentications are performed on a RADIUS server, the switch serves as a RADIUS client and completes MAC address authentication in combination of the RADIUS server.
l In MAC address mode, the switch sends the MAC addresses detected to the RADIUS server as both the user names and passwords, or sends the MAC addresses detected to the RADIUS server as the user names and uses the configured fixed password as the password.
l In fixed mode, the switch sends the user name and password previously configured for the user to the RADIUS server for authentication.
A user can access a network upon passing the authentication performed by the RADIUS server.
1.1.2 Performing MAC Address Authentication Locally
When authentications are performed locally, users are authenticated by switches. In this case,
l In MAC address mode, the local user name to be configured is the MAC address of an access user, while the password may be the MAC address of the user or the fixed password configured (which is used depends on your configuration). Hyphens must or must not be included depending on the format configured with the mac-authentication authmode usernameasmacaddress usernameformat command; otherwise, the authentication will fail.
l In fixed mode, all users’ MAC addresses are automatically mapped to the configured local passwords and usernames.
l The service type of a local user needs to be configured as lan-access.
1.2 Related Concepts
1.2.1 MAC Address Authentication Timers
The following timers function in the process of MAC address authentication:
l Offline detect timer: At this interval, the switch checks to see whether an online user has gone offline. Once detecting that a user becomes offline, the switch sends a stop-accounting notice to the RADIUS server.
l Quiet timer: Whenever a user fails MAC address authentication, the switch does not initiate any MAC address authentication of the user during a period defined by this timer.
l Server timeout timer: During authentication of a user, if the switch receives no response from the RADIUS server in this period, it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network.
1.2.2 Quiet MAC Address
When a user fails MAC address authentication, the MAC address becomes a quiet MAC address, which means that any packets from the MAC address will be discarded simply by the switch until the quiet timer expires. This prevents an invalid user from being authenticated repeatedly in a short time.
Caution:
If the quiet MAC is the same as the static MAC configured or an authentication-passed MAC, then the quiet function is not effective.
1.3 Configuring Basic MAC Address Authentication Functions
Follow these steps to configure basic MAC address authentication functions:
|
To do... |
Use the command... |
Remarks |
||
|
Enter system view |
system-view |
— |
||
|
Enable MAC address authentication globally |
mac-authentication |
Required Disabled by default |
||
|
Enable MAC address authentication for the specified port(s) or the current port |
In system view |
mac-authentication interface interface-list |
Use either method Disabled by default |
|
|
In interface view |
interface interface-type interface-number |
|||
|
mac-authentication |
||||
|
quit |
||||
|
Set the user name in MAC address mode for MAC address authentication |
mac-authentication authmode usernameasmacaddress [ usernameformat { with-hyphen | without-hyphen } { lowercase | uppercase } | fixedpassword password ] |
Optional By default, the MAC address of a user is used as the user name. |
||
|
Set the user name in fixed mode for MAC address authentication |
Set the user name in fixed mode for MAC address authentication |
mac-authentication authmode usernamefixed |
Optional By default, the user name is “mac” and no password is configured. |
|
|
Configure the user name |
mac-authentication authusername username |
|||
|
Configure the password |
mac-authentication authpassword password |
|||
|
Specify an ISP domain for MAC address authentication |
mac-authentication domain isp-name |
Required The default ISP domain (default domain) is used by default. |
||
|
Configure the MAC address authentication timers |
mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value } |
Optional The default timeout values are as follows: 300 seconds for offline detect timer; 60 seconds for quiet timer; and 100 seconds for server timeout timer |
||
Caution:
l If MAC address authentication is enabled on a port, you cannot configure the maximum number of dynamic MAC address entries for that port (through the mac-address max-mac-count command), and vice versa.
l If MAC address authentication is enabled on a port, you cannot configure port security (through the port-security enable command) on that port, and vice versa.
l You can configure MAC address authentication on a port before enabling it globally. However, the configuration will not take effect unless MAC address authentication is enabled globally.
1.4 MAC Address Authentication Enhanced Function Configuration
1.4.1 MAC Address Authentication Enhanced Function Configuration Task List
Complete the following tasks to configure MAC address authentication enhanced function:
|
Task |
Remarks |
|
Optional |
|
|
Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port |
Optional |
1.4.2 Configuring a Guest VLAN
& Note:
Different from Guest VLANs described in the 802.1x and System-Guard manual, Guest VLANs mentioned in this section refer to Guests VLANs dedicated to MAC address authentication.
After completing configuration tasks in Configuring Basic MAC Address Authentication Functions for a switch, this switch can authenticate access users according to their MAC addresses or according to fixed user names and passwords. The switch will not learn MAC addresses of the clients failing in the authentication into its local MAC address table, thus prevent illegal users from accessing the network.
In some cases, if the clients failing in the authentication are required to access some restricted resources in the network (such as the virus library update server), you can use the Guest VLAN.
You can configure a Guest VLAN for each port of the switch. When a client connected to a port fails in MAC address authentication, this port will be added into the Guest VLAN automatically. The MAC address of this client will also be learned into the MAC address table of the Guest VLAN, and thus the user can access the network resources of the Guest VLAN.
After a port is added to a Guest VLAN, the switch will re-authenticate the first access user of this port (namely, the first user whose unicast MAC address is learned by the switch) periodically. If this user passes the re-authentication, this port will exit the Guest VLAN, and thus the user can access the network normally.
Caution:
l Guest VLANs are implemented in the mode of adding a port to a VLAN. For example, when multiple users are connected to a port, if the first user fails in the authentication, the other users can access only the contents of the Guest VLAN. The switch will re-authenticate only the first user accessing this port, and the other users cannot be authenticated again. Thus, if more than one client is connected to a port, you cannot configure a Guest VLAN for this port.
l After users that are connected to an existing port failed to pass authentication, the switch adds the port to the Guest VLAN. Therefore, the Guest VLAN can separate unauthenticated users on an access port. When it comes to a trunk port or a hybrid port, if a packet itself has a VLAN tag and be in the VLAN that the port allows to pass, the packet will be forwarded perfectly without the influence of the Guest VLAN. That is, packets can be forwarded to the VLANs other than the Guest VLAN through the trunk port and the hybrid port, even users fail to pass authentication.
Follow these steps to configure a Guest VLAN:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Configure the Guest VLAN for the current port |
mac-authentication guest-vlan vlan-id |
Required By default, no Guest VLAN is configured for a port by default. |
|
Return to system view |
quit |
— |
|
Configure the interval at which the switch re-authenticates users in Guest VLANs |
mac-authentication timer guest-vlan-reauth interval |
Optional By default, the switch re-authenticates the users in Guest VLANs at the interval of 30 seconds by default. |
Caution:
l If more than one client are connected to a port, you cannot configure a Guest VLAN for this port.
l When a Guest VLAN is configured for a port, only one MAC address authentication user can access the port. Even if you set the limit on the number of MAC address authentication users to more than one, the configuration does not take effect.
l The undo vlan command cannot be used to remove the VLAN configured as a Guest VLAN. If you want to remove this VLAN, you must remove the Guest VLAN configuration for it. Refer to the VLAN module in this manual for the description on the undo vlan command.
l Only one Guest VLAN can be configured for a port, and the VLAN configured as the Guest VLAN must be an existing VLAN. Otherwise, the Guest VLAN configuration does not take effect. If you want to change the Guest VLAN for a port, you must remove the current Guest VLAN and then configure a new Guest VLAN for this port.
l 802.1x authentication cannot be enabled for a port configured with a Guest VLAN.
l The Guest VLAN function for MAC address authentication does not take effect when port security is enabled.
1.4.3 Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port
You can configure the maximum number of MAC address authentication users for a port in order to control the maximum number of users accessing a port. After the number of access users has exceeded the configured maximum number, the switch will not trigger MAC address authentication for subsequent access users, and thus these subsequent access users cannot access the network normally.
Follow these steps to configure the maximum number of MAC address authentication users allowed to access a port:
|
To do... |
Use the command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Configure the maximum number of MAC address authentication users allowed to access a port |
mac-authentication max-auth-num user-number |
Required By default, the maximum number of MAC address authentication users allowed to access a port is 256. |
Caution:
l If both the limit on the number of MAC address authentication users and the limit on the number of users configured in the port security function are configured for a port, the smaller value of the two configured limits is adopted as the maximum number of MAC address authentication users allowed to access this port. Refer to the Port Security manual for the description on the port security function.
l You cannot configure the maximum number of MAC address authentication users for a port if any user connected to this port is online.
1.5 Displaying and Maintaining MAC Address Authentication Configuration
|
To do... |
Use the command... |
Remarks |
|
Display global or on-port information about MAC address authentication |
display mac-authentication [ interface interface-list ] |
Available in any view |
|
Clear the statistics of global or on-port MAC address authentication |
reset mac-authentication statistics [ interface interface-type interface-number ] |
Available in user view |
1.6 MAC Address Authentication Configuration Examples
I. Network requirements
As illustrated in Figure 1-1, a supplicant is connected to the switch through port Ethernet 1/0/2.
l MAC address authentication is required on port Ethernet 1/0/2 to control user access to the Internet.
l All users belong to domain aabbcc.net. The authentication performed is locally and the MAC address of the PC (00-0d-88-f6-44-c1) is used as both the user name and password.
II. Network Diagram
Figure 1-1 Network diagram for MAC address authentication configuration
III. Configuration Procedure
# Enable MAC address authentication on port Ethernet 1/0/2.
<Sysname> system-view
[Sysname] mac-authentication interface Ethernet 1/0/2
# Set the user name in MAC address mode for MAC address authentication, requiring hyphened lowercase MAC addresses as the usernames and passwords.
[Sysname] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase
# Add a local user.
l Specify the user name and password.
[Sysname] local-user 00-0d-88-f6-44-c1
[Sysname-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1
l Set the service type to lan-access.
[Sysname-luser-00-0d-88-f6-44-c1] service-type lan-access
[Sysname-luser-00-0d-88-f6-44-c1] quit
# Add an ISP domain named aabbcc.net.
[Sysname] domain aabbcc.net
New Domain added.
# Specify to perform local authentication.
[Sysname-isp-aabbcc.net] scheme local
[Sysname-isp-aabbcc.net] quit
# Specify aabbcc.net as the ISP domain for MAC address authentication
[Sysname] mac-authentication domain aabbcc.net
# Enable MAC address authentication globally (This is usually the last step in configuring access control related features. Otherwise, a user may be denied of access to the networks because of incomplete configuaration.)
[Sysname] mac-authentication
After doing so, your MAC address authentication configuration will take effect immediately. Only users with the MAC address of 00-0d-88-f6-44-c1 are allowed to access the Internet through port Ethernet 1/0/2.
