- Table of Contents
-
- H3C Low-End Ethernet Switches Configuration Guide(V1.01)
- 01-Login Configuration Guide
- 02-VLAN Configuration Guide
- 03-IP Address Configuration Guide
- 04-Voice VLAN Configuration Guide
- 05-GVRP Configuration Guide
- 06-Ethernet Interface Basic Configuration Guide
- 07-Link Aggregation Configuration Guide
- 08-Port Isolation Configuration Guide
- 09-Port Security Configuration Guide
- 10-Port Binding Configuration Guide
- 11-MAC Address Table Management Configuration Guide
- 12-DLDP Configuration Guide
- 13-Auto Detect Configuration Guide
- 14-MSTP Configuration Guide
- 15-Routing Configuration Guide
- 16-Multicast Configuration Guide
- 17-802.1x Configuration Guide
- 18-AAA Configuration Guide
- 19-MAC Authentication Configuration Guide
- 20-VRRP Configuration Guide
- 21-ARP Configuration Guide
- 22-DHCP Configuration Guide
- 23-ACL Configuration Guide
- 24-QoS-QoS Profile Configuration Guide
- 25-Web Cache Redirection Configuration Guide
- 26-Mirroring Configuration Guide
- 27-IRF Configuration Guide
- 28-Cluster Configuration Guide
- 29-PoE-PoE Profile Configuration Guide
- 30-UDP Helper Configuration Guide
- 31-SNMP-RMON Configuration Guide
- 32-NTP Configuration Guide
- 33-SSH Configuration Guide
- 34-FTP and TFTP Configuration Guide
- 35-Information Center Configuration Guide
- 36-VLAN-VPN Configuration Guide
- 37-HWPing Configuration Guide
- 38-DNS Configuration Guide
- 39-Access Management Configuration Guide
- 40-Web Authentication Configuration Guide
- 41-IPv6 Management Configuration Guide
- 42-Smart link - Monitor Link Configuration Guide
- 43-VLAN Mapping Configuration Guide
- Related Documents
-
Title | Size | Download |
---|---|---|
19-MAC Authentication Configuration Guide | 45.89 KB |
1 MAC Authentication Configuration Guide
Configuring MAC Authentication
Networking and Configuration Requirements
Configuring MAC Authentication
MAC authentication provides a way for authenticating users based on ports and MAC addresses, without requiring any client software to be installed on the hosts. Once detecting a new MAC address, a switch with MAC authentication configured will initiate the authentication process. During authentication, the user does not need to enter any username and password manually.
MAC authentication can be implemented locally or by a RADIUS server.
After determining the authentication mode, you can select one of the following username types as required:
l MAC address, where the MAC address of a user serves as the username for authentication (you can use the mac-authentication authmode usernameasmacaddress usernameformat command to set the MAC address format).
l Fixed username, where the same username and password preconfigured on the switch are used to authenticate all users. In addition, the number of concurrent users is limited with this username type. This username type is not recommended.
Network Diagram
Figure 1-1 Network diagram for configuring local MAC authentication
Networking and Configuration Requirements
As illustrated in Figure 1-1, a supplicant is connected to the switch through port Ethernet 1/0/2.
l MAC authentication is required on port Ethernet 1/0/2 to control user access to the Internet.
l All users belong to domain aabbcc.net. The authentication is performed locally and the MAC address of the PC (00-0d-88-f6-44-c1) is used as both the username and password.
Applicable Product Matrix
Product series |
Software version |
Hardware version |
S5600 series |
Release 1510, Release1602 |
All versions |
S5100-SI/EI series |
Release 2200, Release2201 |
All versions |
S3600-SI/EI series |
Release 1510, Release1602 |
All versions |
S3100-EI series |
Release 2104, Release 2107 |
All versions |
S3100-C-SI series S3100-T-SI series |
Release 0011, Release 2102, Release 2107 |
All versions |
S3100-52P |
Release 1500, Release 1602 |
S3100-52P |
Configuration Procedure
# Enable MAC authentication for port Ethernet 1/0/2.
<H3C> system-view
[H3C] mac-authentication interface Ethernet 1/0/2
# Specify the MAC authentication username type as MAC address and the MAC address format as with-hyphen.
[H3C] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen
# Create a local user account.
l Specify the username and password.
[H3C] local-user 00-0d-88-f6-44-c1
[H3C-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1
l Set the service type to lan-access.
[H3C-luser-00-0d-88-f6-44-c1] service-type lan-access
[H3C-luser-00-0d-88-f6-44-c1] quit
# Create an ISP domain named aabbcc.net.
[H3C] domain aabbcc.net
New Domain added.
# Configure domain aabbcc.net to perform local authentication.
[H3C-isp-aabbcc.net] scheme local
[H3C-isp-aabbcc.net] quit
# Specify aabbcc.net as the ISP domain for MAC authentication.
[H3C] mac-authentication domain aabbcc.net
# Enable MAC authentication globally.
[H3C] mac-authentication
After configuring the above command, your MAC authentication configuration will take effect immediately, and Only the user with the MAC address of 00-0d-88-f6-44-c1 is allowed to access the Internet through port Ethernet 1/0/2. Note that enabling authentication globally is usually the last step in configuring access control related features. Otherwise, valid users may be denied access to the networks because of incomplete configuration.
Complete Configuration
#
domain default enable aabbcc.net
#
MAC-authentication
MAC-authentication domain aabbcc.net
MAC-authentication authmode usernameasmacaddress usernameformat with-hyphen #
domain aabbcc.net
#
local-user 00-0d-88-f6-44-c1
password simple 00-0d-88-f6-44-c1
service-type lan-access
#
Precautions
l You cannot configure the maximum number of MAC addresses that can be learnt on a MAC authentication enabled port, or enable MAC authentication on a port that is configured with the maximum number of MAC addresses that can be learnt.
l You cannot configure port security on a MAC authentication enabled port, or enable MAC authentication on a port that is configured with port security.