Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-Port Security Configuration | 174.7 KB |
Table of Contents
Port Security Configuration Task List
Setting the Maximum Number of Secure MAC Addresses
Setting the Port Security Mode
Enabling the userLoginWithOUI Mode
Enabling any other Port Security Mode
Configuring Port Security Features
Configuring Intrusion Protection
Configuring Secure MAC Addresses
Ignoring Authorization Information from the Server
Displaying and Maintaining Port Security
Port Security Configuration Examples
Configuring the autoLearn Mode
Configuring the userLoginWithOUI Mode
Configuring the macAddressElseUserLoginSecure Mode
Cannot Set the Port Security Mode
Cannot Configure Secure MAC Addresses
Cannot Change Port Security Mode When a User Is Online
When configuring port security, go to these sections for information you are interested in:
l Introduction to Port Security
l Port Security Configuration Task List
l Displaying and Maintaining Port Security
l Port Security Configuration Examples
l Troubleshooting Port Security
Introduction to Port Security
Port Security Overview
Port security is a MAC address-based security mechanism for network access controlling. It is an extension to the existing 802.1X authentication and MAC authentication. It controls the access of unauthorized devices to the network by checking the source MAC address of an inbound frame and the access to unauthorized devices by checking the destination MAC address of an outbound frame.
With port security, you can define various port security modes to make a device learn only legal source MAC addresses, so that you can implement different network security management as needed. When a port security-enabled device detects an illegal frame, it triggers the corresponding port security feature and takes a pre-defined action automatically. This reduces your maintenance workload and greatly enhances system security.
The following types of frames are classified as illegal:
l Received frames with unknown source MAC addresses when MAC address learning is disabled.
l Received frames with unknown source MAC addresses when the number of MAC addresses learned by the port has already reached the upper limit.
l Frames from unauthenticated users.
The security modes of the port security feature provide extended and combined use of 802.1X authentication and MAC authentication and therefore apply to scenarios that require both 802.1X authentication and MAC authentication. For scenarios that require only 802.1X authentication or MAC authentication for access control, however, you are recommended to configure the 802.1X authentication or MAC authentication for simplicity. For information about 802.1X and MAC authentication, refer to 802.1X Configuration and MAC Authentication Configuration in the Security Volume.
Port Security Features
NTK
The need to know (NTK) feature checks the destination MAC addresses in outbound frames and allows frames to be sent to only devices passing authentication, thus preventing illegal devices from intercepting network traffic.
Intrusion protection
The intrusion protection feature checks the source MAC addresses in inbound frames and takes a pre-defined action accordingly upon detecting illegal frames. The action may be disabling the port temporarily, disabling the port permanently, or blocking frames from the MAC address for three minutes (unmodifiable).
Trap
The trap feature enables the device to send trap messages upon detecting specified frames that result from, for example, intrusion or user login/logout operations, helping you monitor special activities.
Port Security Modes
Table 1-1 details the port security modes.
|
Security mode |
Description |
Features |
|
noRestrictions |
Port security is disabled on the port and access to the port is not restricted. |
In this mode, neither the NTK nor the intrusion protection feature is triggered. |
|
autoLearn |
In this mode, a port can be configured or learn a specified number of MAC addresses and save those addresses as secure MAC addresses. It permits only frames whose source MAC addresses are secure MAC addresses or static MAC addresses configured by using the mac-address static command. When the number of secure MAC addresses reaches the upper limit, the port changes to work in secure mode. |
In either mode, the device will trigger NTK and intrusion protection upon detecting an illegal frame. In autoLearn mode, dynamic MAC addresses learning is disabled |
|
secure |
In this mode, a port is disabled from learning MAC addresses and permits only frames whose source MAC addresses are secure MAC addresses or static MAC addresses configured by using the mac-address static command. |
|
|
userLogin |
In this mode, a port performs 802.1X authentication of users in portbased mode. A port in this mode can service multiple 802.1X users, but allows only one at a moment. |
In this mode, neither NTK nor intrusion protection will be triggered. |
|
userLoginSecure |
In this mode, a port performs 802.1X authentication of users in portbased mode and services only one user passing 802.1X authentication. |
In any of these modes, the device will trigger NTK and intrusion protection upon detecting an illegal frame. |
|
userLoginWithOUI |
Similar to the userLoginSecure mode, a port in this mode performs 802.1X authentication of users and services only one user passing 802.1X authentication. A MAC address being a specified OUI (organizationally unique identifier) are also allowed on the port. |
|
|
macAddressWithRadius |
In this mode, a port performs MAC authentication of users. |
|
|
macAddressOrUserLoginSecure |
This mode is the combination of the userLoginSecure and macAddressWithRadius modes, with 802.1X authentication having a higher priority. The port performs MAC authentication upon receiving non-8021.x frames and performs 802.1X authentication upon receiving 802.1X frames. |
|
|
macAddressElseUserLoginSecure |
This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. l Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication. l Upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication. |
|
|
userLoginSecureExt |
In this mode, a port performs 802.1X authentication of users in macbased mode and supports multiple 802.1X users. |
|
|
macAddressOrUserLoginSecureExt |
This mode is similar to the macAddressOrUserLoginSecure mode, except that it supports multiple 802.1X and MAC authentication users on the port. |
|
|
macAddressElseUserLoginSecureExt |
This mode is similar to the macAddressElseUserLoginSecure mode, except that it supports multiple 802.1X and MAC authentication users on the port. |
l Currently, port security supports two authentication methods: 802.1X and MAC authentication. Different port security modes employ different authentication methods or different combinations of authentication methods.
l The maximum number of users a port supports is the lesser of the maximum number of secure MAC addresses or the maximum number of authenticated users the security mode supports. For example, in userLoginSecureExt mode, the maximum number of users a port supports is the lesser of the maximum number of secure MAC addresses configured or the maximum number of users that 802.1X supports.
Port Security Configuration Task List
Complete the following tasks to configure port security:
|
Task |
Remarks |
|
|
Required |
||
|
Optional |
||
|
Required |
||
|
Optional Choose one or more features as required. |
||
|
Optional |
||
|
Optional |
||
Enabling Port Security
Configuration Prerequisites
Before enabling port security, you need to disable 802.1X and MAC authentication globally.
Configuration Procedure
Follow these steps to enable port security:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable port security |
port-security enable |
Required Disabled by default |
Note that:
1) Enabling port security resets the following configurations on a port to the bracketed defaults. Then, values of these configurations cannot be changed manually; the system will adjust them based on the port security mode automatically:
l 802.1X (disabled), port access control method (macbased), and port access control mode (auto)
l MAC authentication (disabled)
2) Disabling port security resets the following configurations on a port to the bracketed defaults:
l Port security mode (noRestrictions)
l 802.1X (disabled), port access control method (macbased), and port access control mode (auto)
l MAC authentication (disabled)
3) Port security cannot be disabled if there is any user present on a port.
l For detailed 802.1X configuration, refer to 802.1X Configuration in the Security Volume.
l For detailed MAC-based authentication configuration, refer to MAC Authentication Configuration in the Security Volume.
Setting the Maximum Number of Secure MAC Addresses
With port security enabled, more than one authenticated user is allowed on a port. The number of authenticated users allowed, however, cannot exceed the specified upper limit.
By setting the maximum number of secure MAC addresses allowed on a port, you can:
l Control the maximum number of users who are allowed to access the network through the port.
l Control the number of secure MAC addresses that can be added with port security.
This configuration is different from that of the maximum number of MAC addresses that can be leaned by the port in MAC address management.
Follow these steps to set the maximum number of secure MAC addresses allowed on a port:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Set the maximum number of secure MAC addresses allowed on a port |
port-security max-mac-count count-value |
Required Not limited by default |
Setting the Port Security Mode
Before setting the port security mode, ensure that:
l 802.1X is disabled, the port access control method is macbased, and the port access control mode is auto.
l MAC authentication is disabled.
Otherwise, you will see an error message and your configuration will fail.
On the other hand, after setting the port security mode on a port, you cannot change any of the above configurations.
l With port security disabled, you can configure the port security mode, but your configuration does not take effect.
l With port security enabled, you can change the port security mode of a port only when the port is operating in noRestrictions mode, the default mode. You can use the undo port-security port-mode command to restore the default port security mode.
l You cannot change the port security mode of a port when any user is present on the port.
l You cannot configure port security on a port configured with aggregation or service loopback group.
Enabling the autoLearn Mode
Configuration prerequisites
Before enabling the autoLearn mode, you need to set the maximum number of secure MAC addresses allowed on the port.
Configuration procedure
Follow these steps to enable the autoLearn mode:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Enable the autoLearn mode |
port-security port-mode autolearn |
Required By default, a port operates in noRestrictions mode. |
When a port operates in autoLearn mode, you cannot change the maximum number of secure MAC addresses allowed on the port.
Enabling the userLoginWithOUI Mode
In userLoginWithOUI mode, a port supports one 802.1X user as well as one user whose MAC address has an OUI value among the specified ones.
Follow these steps to enable the userLoginWithOUI mode:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set an OUI value for user authentication |
port-security oui oui-value index index-value |
Optional Not configured by default |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Enable the userLoginWithOUI mode |
port-security port-mode userlogin-withoui |
Required By default, a port operates in noRestrictions mode. |
l An organizationally unique identifier (OUI), the left-most 24 bits of a MAC address, is a globally unique identifier assigned by IEEE to a certain manufacturer.
l You can configure multiple OUI values.
Enabling any other Port Security Mode
Follow these steps to enable any other port security mode:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Set the port security mode |
port-security port-mode { mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext } |
Required By default, a port operates in noRestrictions mode. |
On a port operating in either macAddressElseUserLoginSecure mode or macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC authentication and 802.1X authentication for the same frame fail.
Configuring Port Security Features
Configuring NTK
Follow these steps to configure the NTK feature:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Configure the NTK feature |
port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } |
Required By default, NTK is disabled on a port and all frames are allowed to be sent. |
Configuring Intrusion Protection
Follow these steps to configure the intrusion protection feature:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Configure the intrusion protection feature |
port-security intrusion-mode { blockmac | disableport | disableport-temporarily } |
Required By default, intrusion protection is disabled. |
|
Return to system view |
quit |
— |
|
Set the silence timeout during which a port remains disabled |
port-security timer disableport time-value |
Optional 20 seconds by default |
If you configure the port-security intrusion-mode command with the disableport-temporarily keyword, you can use the port-security timer disableport command to set the silence timeout during which a port remains disabled.
Configuring Trapping
Follow these steps to configure port security trapping:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable port security traps |
port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon } |
Required By default, no port security trap is enabled. |
Configuring Secure MAC Addresses
Secure MAC addresses are special MAC addresses. They never age out or get lost if saved before the device restarts. One secure MAC address can be added to only one port in the same VLAN. Thus, you can bind a MAC address to one port in the same VLAN.
Secure MAC addresses can be:
l Learned by a port working in autoLearn mode.
l Manually configured through the command line interface (CLI) or management information base (MIB).
When the maximum number of secure MAC addresses is reached, no more can be added.
Configuration Prerequisites
l Enable port security
l Set the maximum number of secure MAC addresses allowed on the port
l Set the port security mode to autoLearn
Configuration Procedure
Follow these steps to configure a secure MAC address:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Configure a secure MAC address |
In system view |
port-security mac-address security mac-address interface interface-type interface-number vlan vlan-id |
Required Use either approach No secure MAC address is configured by default. |
|
In Ethernet port view |
interface interface-type interface-number |
||
|
port-security mac-address security mac-address vlan vlan-id |
|||
The configured secure MAC addresses are saved in the configuration file and will not get lost when the port goes up or goes down. After you save the configuration file, the secure MAC address saved in the configuration file are maintained even after the device restarts.
Ignoring Authorization Information from the Server
After an 802.1X user or MAC authenticated user passes RADIUS authentication, the RADIUS server delivers the authorization information to the device. You can configure a port to ignore the authorization information from the RADIUS server.
Follow these steps to configure a port to ignore the authorization information from the RADIUS server:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Ignore the authorization information from the RADIUS server |
port-security authorization ignore |
Required By default, a port uses the authorization information from the RADIUS server. |
Displaying and Maintaining Port Security
|
To do… |
Use the command… |
Remarks |
|
Display port security configuration information, operation information, and statistics about one or more ports or all ports |
display port-security [ interface interface-list ] |
Available in any view |
|
Display information about secure MAC addresses |
display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] |
Available in any view |
|
Display information about blocked MAC addresses |
display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] |
Available in any view |
Port Security Configuration Examples
Configuring the autoLearn Mode
Network requirements
Restrict port GigabitEthernet 2/0/1 of the switch as follows:
l Allow up to 64 users to access the port without authentication and permit the port to learn and add the MAC addresses of the users as secure MAC addresses.
l After the number of secure MAC addresses reaches 64, the port stops learning MAC addresses. If any frame with an unknown MAC address arrives, intrusion protection is triggered and the port is disabled and stays silence for 30 seconds.
Network diagram
Figure 1-1 Network diagram for configuring the autoLearn mode
Configuration procedure
1) Configure port security
# Enable port security.
<Switch> system-view
[Switch] port-security enable
# Enable intrusion protection trap.
[Switch] port-security trap intrusion
[Switch] interface gigabitethernet 2/0/1
# Set the maximum number of secure MAC addresses allowed on the port to 64.
[Switch-GigabitEthernet2/0/1] port-security max-mac-count 64
# Set the port security mode to autoLearn.
[Switch-GigabitEthernet2/0/1] port-security port-mode autolearn
# Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.
[Switch-GigabitEthernet2/0/1] port-security intrusion-mode disableport-temporarily
[Switch-GigabitEthernet2/0/1] quit
[Switch] port-security timer disableport 30
2) Verify the configuration
After completing the above configurations, you can use the following command to view the port security configuration information:
<Switch> display port-security interface gigabitethernet 2/0/1
Equipment port-security is enabled
Intrusion trap is enabled
Disableport Timeout: 30s
OUI value:
GigabitEthernet2/0/1 is link-up
Port mode is autoLearn
NeedToKnow mode is disabled
Intrusion Protection mode is DisablePortTemporarily
Max MAC address number is 64
Stored MAC address number is 0
Authorization is permitted
As shown in the output, the maximum number of secure MAC addresses allowed on the port is 64, the port security mode is autoLearn, the intrusion protection trap is enabled, and the intrusion protection action is to disable the port (DisablePortTemporarily) for 30 seconds.
You can also use the above command repeatedly to track the number of MAC addresses learned by the port, or use the display this command in interface view to display the secure MAC addresses learned, as shown below:
<Switch> system-view
[Switch] interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] display this
#
interface GigabitEthernet2/0/1
port-security max-mac-count 64
port-security port-mode autolearn
port-security mac-address security 0002-0000-0015 vlan 1
port-security mac-address security 0002-0000-0014 vlan 1
port-security mac-address security 0002-0000-0013 vlan 1
port-security mac-address security 0002-0000-0012 vlan 1
port-security mac-address security 0002-0000-0011 vlan 1
#
Issuing the display port-security interface command after the number of MAC addresses learned by the port reaches 64, you will see that the port security mode has changed to secure. When any frame with a new MAC address arrives, intrusion protection is triggered and you will see trap messages as follows:
#May 2 03:15:55:871 2000 Switch PORTSEC/1/VIOLATION:Traph3cSecureViolation
A intrusion occurs!
IfIndex: 9437207
Port: 9437207
MAC Addr: 0.2.0.0.0.21
VLAN ID: 1
IfAdminStatus: 1
In addition, you will see that the port security feature has disabled the port if you issue the following command:
[Switch-GigabitEthernet2/0/1] display interface gigabitethernet 2/0/1
GigabitEthernet2/0/1 current state: Port Security Disabled
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558
Description: GigabitEthernet2/0/1 Interface
......
The port should be re-enabled 30 seconds later.
[Switch-GigabitEthernet2/0/1] display interface gigabitethernet 2/0/1
GigabitEthernet2/0/1 current state: UP
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558
Description: GigabitEthernet2/0/1 Interface
......
Now, if you manually delete several secure MAC addresses, the port security mode of the port will be restored to autoLearn, and the port will be able to learn MAC addresses again.
Configuring the userLoginWithOUI Mode
Network requirements
The client is connected to the switch through port GigabitEthernet 2/0/1. The switch authenticates the client by the RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
l RADIUS server 192.168.1.2 functions as the primary authentication server and the secondary accounting server, and RADIUS server 192.168.1.3 functions as the secondary authentication server and the primary accounting server. The shared key for authentication is name, and that for accounting is money.
l All users belong to default domain sun, which can accommodate up to 30 users.
l The RADIUS server response timeout time is five seconds and the maximum number of RADIUS packet retransmission attempts is five. The switch sends real-time accounting packets to the RADIUS server at an interval of 15 minutes, and sends user names without domain names to the RADIUS server.
Restrict port GigabitEthernet 2/0/1 of the switch as follows:
l Allow only one 802.1X user to be authenticated.
l Allow up to 16 OUI values to be configured and allow one additional user whose MAC address has an OUI among the configured ones to access the port.
Network diagram
Figure 1-2 Network diagram for configuring the userLoginWithOUI mode
Configuration procedure
l The following configuration steps cover some AAA/RADIUS configuration commands. For details about the commands, refer to AAA Configuration in the Security Volume.
l Configurations on the host and RADIUS servers are omitted.
1) Configure the RADIUS protocol
# Configure a RADIUS scheme named radsun.
<Switch> system-view
[Switch] radius scheme radsun
[Switch-radius-radsun] primary authentication 192.168.1.2
[Switch-radius-radsun] primary accounting 192.168.1.3
[Switch-radius-radsun] secondary authentication 192.168.1.3
[Switch-radius-radsun] secondary accounting 192.168.1.2
[Switch-radius-radsun] key authentication name
[Switch-radius-radsun] key accounting money
[Switch-radius-radsun] timer response-timeout 5
[Switch-radius-radsun] retry 5
[Switch-radius-radsun] timer realtime-accounting 15
[Switch-radius-radsun] user-name-format without-domain
[Switch-radius-radsun] quit
# Configure an ISP domain named sun.
[Switch] domain sun
[Switch-isp-sun] authentication default radius-scheme radsun
[Switch-isp-sun] access-limit enable 30
[Switch-isp-sun] quit
2) Configure port security
# Enable port security.
[Switch] port-security enable
# Add five OUI values.
[Switch] port-security oui 1234-0100-1111 index 1
[Switch] port-security oui 1234-0200-1111 index 2
[Switch] port-security oui 1234-0300-1111 index 3
[Switch] port-security oui 1234-0400-1111 index 4
[Switch] port-security oui 1234-0500-1111 index 5
[Switch] interface gigabitethernet 2/0/1
# Set the port security mode to userLoginWithOUI.
[Switch-GigabitEthernet2/0/1] port-security port-mode userlogin-withoui
3) Verify the configuration
After completing the above configurations, you can use the following command to view the configuration information of the RADIUS scheme named radsun:
<Switch> display radius scheme radsun
SchemeName =radsun
Index=1 Type=standard
Primary Auth IP =192.168.1.2 Port=1812 State=active
Primary Acct IP =192.168.1.3 Port=1813 State=active
Second Auth IP =192.168.1.3 Port=1812 State=active
Second Acct IP =192.168.1.2 Port=1813 State=active
Auth Server Encryption Key= name
Acct Server Encryption Key= money
Accounting-On packet disable, send times = 5 , interval = 3s
Interval for timeout(second) =5
Retransmission times for timeout =5
Interval for realtime accounting(minute) =15
Retransmission times of realtime-accounting packet =5
Retransmission times of stop-accounting packet =500
Quiet-interval(min) =5
Username format =without-domain
Data flow unit =Byte
Packet unit =one
Use the following command to view the configuration information of the ISP domain named sun:
<Switch> display domain sun
Domain = sun
State = Active
Access-limit = 30
Accounting method = Required
Default authentication scheme : radius=radsun
Default authorization scheme : local
Default accounting scheme : local
Domain User Template:
Idle-cut = Disabled
Self-service = Disabled
Use the following command to view the port security configuration information:
<Switch> display port-security interface gigabitethernet 2/0/1
Equipment port-security is enabled
Trap is disabled
Disableport Timeout: 20s
OUI value:
Index is 1, OUI value is 123401
Index is 2, OUI value is 123402
Index is 3, OUI value is 123403
Index is 4, OUI value is 123404
Index is 5, OUI value is 123405
GigabitEthernet2/0/1 is link-up
Port mode is userLoginWithOUI
NeedToKnow mode is disabled
Intrusion Protection mode is NoAction
Max MAC address number is not configured
Stored MAC address number is 0
Authorization is permitted
After an 802.1X user gets online, you can see that the number of secure MAC addresses stored is 1. You can also use the following command to view information about 802.1X users:
<Switch> display dot1x interface gigabitethernet 2/0/1
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
EAD quick deploy is disabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
The maximal retransmitting times 2
EAD quick deploy configuration:
EAD timeout: 30m
The maximum 802.1X user resource number is 2048 per slot
Total current used 802.1X resource number is 1
GigabitEthernet2/0/1 is link-up
802.1X protocol is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Handshake is enabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
802.1X Multicast-trigger is enabled
Mandatory authentication domain: NOT configured
Guest VLAN: 0
Max number of on-line users is 1024
EAPOL Packet: Tx 16331, Rx 102
Sent EAP Request/Identity Packets : 16316
EAP Request/Challenge Packets: 6
EAP Success Packets: 4, Fail Packets: 5
Received EAPOL Start Packets : 6
EAPOL LogOff Packets: 2
EAP Response/Identity Packets : 80
EAP Response/Challenge Packets: 6
Error Packets: 0
1. Authenticated user : MAC address: 0002-0000-0011
Controlled User(s) amount to 1
In addition, the port allows an additional user whose MAC address has an OUI among the specified OUIs to access the port. You can use the following command to view the related information:
<Switch> display mac-address interface gigabitethernet 2/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
1234-0300-0011 1 Learned GigabitEthernet2/0/1 AGING
--- 1 mac address(es) found ---
Configuring the macAddressElseUserLoginSecure Mode
Network requirements
The client is connected to the switch through GigabitEthernet 2/0/1. The switch authenticates the client by the RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
Restrict port GigabitEthernet 2/0/1 of the switch as follows:
l Allow more than one MAC authenticated user to log on.
l For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X authentication. Allow only one 802.1X user to log on.
l For MAC-based authentication, allow usernames and passwords in self-defined formats. Set the total number of MAC authenticated users and 802.1X-authenticated users to 64.
l Enable NTK to prevent frames from being sent to unknown MAC addresses.
Network diagram
See Figure 1-2.
Configuration procedure
Configurations on the host and RADIUS servers are omitted.
1) Configure the RADIUS protocol
The required RADIUS authentication/accounting configurations are the same as those in Configuring the userLoginWithOUI Mode.
2) Configure port security
# Enable port security.
<Switch> system-view
[Switch] port-security enable
# Configure a MAC authentication user, setting the user name and password to aaa and 123456 respectively.
[Switch] mac-authentication user-name-format fixed account aaa password simple 123456
[Switch] interface gigabitethernet 2/0/1
# Set the maximum number of secure MAC addresses allowed on the port to 64.
[Switch-GigabitEthernet2/0/1] port-security max-mac-count 64
# Set the port security mode to macAddressElseUserLoginSecure.
[Switch-GigabitEthernet2/0/1] port-security port-mode mac-else-userlogin-secure
# Set the NTK mode of the port to ntkonly.
[Switch-GigabitEthernet2/0/1] port-security ntk-mode ntkonly
3) Verify the configuration
After completing the above configurations, you can use the following command to view the port security configuration information:
<Switch> display port-security interface gigabitethernet 2/0/1
Equipment port-security is enabled
Trap is disabled
Disableport Timeout: 20s
OUI value:
GigabitEthernet2/0/1 is link-up
Port mode is macAddressElseUserLoginSecure
NeedToKnow mode is NeedToKnowOnly
Intrusion Protection mode is NoAction
Max MAC address number is 64
Stored MAC address number is 0
Authorization is permitted
Use the following command to view MAC authentication information:
<Switch> display mac-authentication interface gigabitethernet 2/0/1
MAC address authentication is enabled.
User name format is fixed account
Fixed username:aaa
Fixed password:123456
Offline detect period is 300s
Quiet period is 60s
Server response timeout value is 100s
The max allowed user number is 2048 per slot
Current user number amounts to 0
Current domain: not configured, use default domain
Silent MAC User info:
MAC Addr From Port Port Index
GigabitEthernet2/0/1 is link-up
MAC address authentication is enabled
Authenticate success: 3, failed: 0
Current online user number is 3
MAC Addr Authenticate State Auth Index
1234-0300-0011 MAC_AUTHENTICATOR_SUCCESS 13
1234-0300-0012 MAC_AUTHENTICATOR_SUCCESS 14
1234-0300-0013 MAC_AUTHENTICATOR_SUCCESS 15
Use the following command to view 802.1X authentication information:
<Switch> display dot1x interface gigabitethernet 2/0/1
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
EAD quick deploy is disabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
The maximal retransmitting times 2
EAD quick deploy configuration:
EAD timeout: 30m
Total maximum 802.1X user resource number is 2048 per slot
Total current used 802.1X resource number is 1
GigabitEthernet2/0/1 is link-up
802.1X protocol is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Handshake is enabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
802.1X Multicast-trigger is enabled
Mandatory authentication domain: NOT configured
Guest VLAN: 0
Max number of on-line users is 1024
EAPOL Packet: Tx 16331, Rx 102
Sent EAP Request/Identity Packets : 16316
EAP Request/Challenge Packets: 6
EAP Success Packets: 4, Fail Packets: 5
Received EAPOL Start Packets : 6
EAPOL LogOff Packets: 2
EAP Response/Identity Packets : 80
EAP Response/Challenge Packets: 6
Error Packets: 0
1. Authenticated user : MAC address: 0002-0000-0011
Controlled User(s) amount to 1
Troubleshooting Port Security
Cannot Set the Port Security Mode
Symptom
Cannot set the port security mode.
[Switch-GigabitEthernet2/0/1] port-security port-mode autolearn
Error:When we change port-mode, we should first change it to noRestrictions, then change it to the other.
Analysis
For a port working in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command directly.
Solution
Set the port security mode to noRestrictions first.
[Switch-GigabitEthernet2/0/1] undo port-security port-mode
[Switch-GigabitEthernet2/0/1] port-security port-mode autolearn
Cannot Configure Secure MAC Addresses
Symptom
Cannot configure secure MAC addresses.
[Switch-GigabitEthernet2/0/1] port-security mac-address security 1-1-2 vlan 1
Error:Can not operate security MAC address for current port mode is not autoLearn!
Analysis
No secure MAC address can be configured on a port operating in a port security mode other than autoLearn.
Solution
Set the port security mode to autoLearn.
[Switch-GigabitEthernet2/0/1] undo port-security port-mode
[Switch-GigabitEthernet2/0/1] port-security max-mac-count 64
[Switch-GigabitEthernet2/0/1] port-security port-mode autolearn
[Switch-GigabitEthernet2/0/1] port-security mac-address security 1-1-2 vlan 1
Cannot Change Port Security Mode When a User Is Online
Symptom
Port security mode cannot be changed when an 802.1X-authenticated or MAC authenticated user is online.
[Switch-GigabitEthernet2/0/1] undo port-security port-mode
Error:Cannot configure port-security for there is 802.1X user(s) on line on port GigabitEthernet2/0/1.
Analysis
Changing port security mode is not allowed when an 802.1X-authenticated or MAC authenticated user is online.
Solution
Use the cut command to forcibly disconnect the user from the port before changing the port security mode.
[Switch-GigabitEthernet2/0/1] cut connection interface gigabitethernet 2/0/1
[Switch-GigabitEthernet2/0/1] undo port-security port-mode
