Table of Contents

1 MAC Authentication Configuration· 1-1

MAC Authentication Overview· 1-1

Performing MAC Authentication on a RADIUS Server 1-1

Performing MAC Authentication Locally· 1-1

Related Concepts· 1-2

MAC Authentication Timers· 1-2

Quiet MAC Address· 1-2

Configuring Basic MAC Authentication Functions· 1-2

MAC Address Authentication Enhanced Function Configuration· 1-3

MAC Address Authentication Enhanced Function Configuration Tasks· 1-3

Configuring a Guest VLAN· 1-4

Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port 1-6

Displaying and Maintaining MAC Authentication· 1-6

MAC Authentication Configuration Example· 1-7

 

 

 

MAC Authentication Overview

MAC authentication provides a way for authenticating users based on ports and MAC addresses, without requiring any client software to be installed on the hosts. Once detecting a new MAC address, it initiates the authentication process. During authentication, the user does not need to enter username or password manually.

The device implements MAC authentication locally or on a RADIUS server.

After determining the authentication method, users can select one of the following types of username as required:

l          MAC address mode, where the MAC address of a user serves as both the username and the password.

l          Fixed mode, where usernames and passwords are configured on the device in advance. In this case, the username, the password, and the limits on the total number of usernames are the matching criterion for successful authentication. For details, refer to AAA in H3C WX3000 Series Unified Switches Switching Engine Configuration Guide for information about local user attributes.

Performing MAC Authentication on a RADIUS Server

In RADIUS-based MAC authentication, the device serves as a RADIUS client and completes MAC authentication in combination of the RADIUS server.

l          If the type of username is MAC address, the device sends a detected MAC address to the RADIUS server as both the username and password for authentication of the user.

l          If the type of username is fixed username, the device sends the same username and password previously configured on the device to the RADIUS server for authentication of each user.

A user can access a network upon passing the authentication performed by the RADIUS server.

Performing MAC Authentication Locally

In local MAC authentication, the device performs authentication for users locally and different items need to be manually configured for users on the device according to the specified type of username:

l          If the username type is MAC address, a local user must be configured for each user on the device, using the MAC address of the accessing user as the username. Hyphens must or must not be included depending on the format configured with the mac-authentication authmode usernameasmacaddress usernameformat command; otherwise, the authentication will fail.

l          If the username type is fixed username, you need to configure the fixed username and password on the device, which are used by the device to authenticate all users.

The service type of a local user needs to be configured as lan-access.

Related Concepts

MAC Authentication Timers

The following timers function in the process of MAC authentication:

l          Offline detect timer: At this interval, the device checks to see whether an online user has gone offline. Once detecting that a user becomes offline, the device sends a stop-accounting notice to the RADIUS server.

l          Quiet timer: Whenever a user fails MAC authentication, the device does not initiate any MAC authentication of the user during a period defined by this timer.

l          Server timeout timer: During authentication of a user, if the device receives no response from the RADIUS server in this period, it assumes that its connection to the RADIUS server has timed out and forbids the user from accessing the network.

Quiet MAC Address

When a user fails MAC authentication, the MAC address becomes a quiet MAC address, which means that any packets from the MAC address will be discarded simply by the device until the quiet timer expires. This prevents an invalid user from being authenticated repeatedly in a short time.

 

 

Configuring Basic MAC Authentication Functions

Follow these steps to configure basic MAC authentication functions:

To do…	Use the command…			Remarks
Enter system view	system-view			—
Enable MAC authentication globally	mac-authentication			Required Disabled by default
Enable MAC authentication for the specified port(s) or the current port	In system view	mac-authentication interface interface-list		Use either method Disabled by default
	In interface view	interface interface-type interface-number
		mac-authentication
		quit
Set the username in MAC address mode for MAC authentication	mac-authentication authmode usernameasmacaddress [ usernameformat { with-hyphen | without-hyphen } { lowercase | uppercase } | fixedpassword password ]			Optional By default, the MAC address of a user is used as the username.
Set the username in fixed mode for MAC authentication	Set the username in fixed mode for MAC authentication		mac-authentication authmode usernamefixed	Optional By default, the username is “mac” and no password is configured.
	Configure the username		mac-authentication authusername username
	Configure the password		mac-authentication authpassword password
Specify an ISP domain for MAC authentication	mac-authentication domain isp-name			Required The default ISP domain (default domain) is used by default.
Configure the MAC authentication timers	mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }			Optional The default timeout values are as follows: 300 seconds for offline detect timer; 60 seconds for quiet timer; and 100 seconds for server timeout timer

 

 

MAC Address Authentication Enhanced Function Configuration

MAC Address Authentication Enhanced Function Configuration Tasks

Complete the following tasks to configure MAC address authentication enhanced function:

Task	Remarks
Configuring a Guest VLAN	Optional
Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port	Optional

 

Configuring a Guest VLAN

 

 

After completing configuration tasks in Configuring Basic MAC Authentication Functions for the device, the device can authenticate access users according to their MAC addresses or according to fixed usernames and passwords. The device will not learn MAC addresses of the clients failing in the authentication into its local MAC address table, thus prevent illegal users from accessing the network.

In some cases, if the clients failing in the authentication are required to access some restricted resources in the network (such as the virus library update server), you can use the Guest VLAN.

You can configure a Guest VLAN for each port of the device. When a client connected to a port fails in MAC address authentication, this port will be added into the Guest VLAN automatically. The MAC address of this client will also be learned into the MAC address table of the Guest VLAN, and thus the user can access the network resources of the Guest VLAN.

After a port is added to a Guest VLAN, the device will re-authenticate the first access user of this port (namely, the first user whose unicast MAC address is learned by the device) periodically. If this user passes the re-authentication, this port will exit the Guest VLAN, and thus the user can access the network normally.

 

 

Follow these steps to configure a Guest VLAN:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter Ethernet port view	interface interface-type interface-number	—
Configure the Guest VLAN for the current port	mac-authentication guest-vlan vlan-id	Required By default, no Guest VLAN is configured for a port by default.
Return to system view	quit	—
Configure the interval at which the device re-authenticates users in Guest VLANs	mac-authentication timer guest-vlan-reauth interval	Optional By default, the device re-authenticates the users in Guest VLANs at the interval of 30 seconds by default.

 

 

Configuring the Maximum Number of MAC Address Authentication Users Allowed to Access a Port

You can configure the maximum number of MAC address authentication users for a port in order to control the maximum number of users accessing a port. After the number of access users has exceeded the configured maximum number, the device will not trigger MAC address authentication for subsequent access users, and thus these subsequent access users cannot access the network normally.

Follow these steps to configure the maximum number of MAC address authentication users allowed to access a port:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter Ethernet port view	interface interface-type interface-number	—
Configure the maximum number of MAC address authentication users allowed to access a port	mac-authentication max-auth-num user-number	Required By default, the maximum number of MAC address authentication users allowed to access a port is 256.

 

 

Displaying and Maintaining MAC Authentication

To do…	Use the command…	Remarks
Display global or on-port information about MAC authentication	display mac-authentication [ interface interface-list ]	Available in any view
Clear the statistics of global or on-port MAC authentication	reset mac-authentication statistics [ interface interface-type interface-number ]	Available in user view

 

MAC Authentication Configuration Example

Network requirements

As illustrated in Figure 1-1, a supplicant is connected to Switch through port GigabitEthernet 1/0/2.

l          MAC authentication is required on port GigabitEthernet 1/0/2 to control user access to the Internet.

l          All users belong to domain aabbcc.net. The authentication is performed locally and the MAC address of the PC (00-0d-88-f6-44-c1) is used as both the username and password.

Figure 1-1 Network diagram for MAC authentication configuration

 

Configuration Procedure

# Enable MAC authentication on port GigabitEthernet 1/0/2.

<device> system-view

[device] mac-authentication interface GigabitEthernet 1/0/2

# Specify to use the user MAC address as both the username and password for MAC authentication, and specify the MAC address format as hyphened lowercase MAC address.

[device] mac-authentication authmode usernameasmacaddress usernameformat with-hyphen lowercase

# Add a local user.

l          Specify the username and password.

[device] local-user 00-0d-88-f6-44-c1

[device-luser-00-0d-88-f6-44-c1] password simple 00-0d-88-f6-44-c1

l          Set the service type to “lan-access”.

[device-luser-00-0d-88-f6-44-c1] service-type lan-access

[device-luser-00-0d-88-f6-44-c1] quit

# Add an ISP domain named aabbcc.net.

[device] domain aabbcc.net

New Domain added.

# Specify to perform local authentication.

[device-isp-aabbcc.net] scheme local

[device-isp-aabbcc.net] quit

# Specify aabbcc.net as the ISP domain for MAC authentication

[device] mac-authentication domain aabbcc.net

# Enable MAC authentication globally (This is usually the last step in configuring access control related features. Otherwise, a user may be denied of access to the networks because of incomplete configuaration.)

[device] mac-authentication

After doing so, your MAC authentication configuration will take effect immediately. Only users with the MAC address of 00-0d-88-f6-44-c1 are allowed to access the Internet through port GigabitEthernet 1/0/2.