Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-MAC Authentication Configuration | 59.37 KB |
Table of Contents
1 MAC Authentication Configuration
Configuring MAC Authentication
Specifying an Authentication Domain for MAC Authentication Users
Displaying and Maintaining MAC Authentication
MAC Authentication Configuration Example
l The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region.
l Support of the H3C WA series WLAN access points (APs) for features may vary by AP model. For more information, see Feature Matrix.
l The interface types and the number of interfaces vary by AP model.
l The term AP in this document refers to common APs, wireless bridges, and mesh APs.
This chapter includes these sections:
l Configuring MAC Authentication
l Specifying an Authentication Domain for MAC Authentication Users
l Displaying and Maintaining MAC Authentication
l MAC Authentication Configuration Example
MAC Authentication Overview
MAC authentication controls network access by authenticating source MAC addresses on a port. It does not require client software. A user does not need to input a username and password for network access. The device initiates a MAC authentication process when it detects a new MAC address on a MAC authentication enabled port. If the MAC address passes authentication, the user can access authorized network resources. If the authentication fails, the device marks the MAC address as a silent MAC address, drops the packet, and starts a quiet timer. The device drops all subsequent packets from the MAC address within the quiet time. This quiet mechanism avoids repeated authentication during a short time.
If the MAC address that has failed authentication is a static MAC address or a MAC address that has passed any security authentication, the device does not mark it as a silent address.
User Account Types
MAC authentication supports two user account types:
l One MAC-based user account for each user. Each MAC-based user account uses a MAC address as its username and password. A user can pass MAC authentication only when its MAC address matches a MAC-based user account. This approach is suitable for an insecure environment.
l One shared user account for all users. The username and password of this account follow regular user account rules, and are not necessarily a MAC address. Any user can pass MAC authentication on any MAC authentication enabled port. You can use this approach in a secure environment to limit network resources accessible to MAC authentication users, for example, by assigning an authorized ACL or VLAN for the shared account.
RADIUS MAC Authentication
In RADIUS MAC authentication, the device serves as a RADIUS client and requires a RADIUS server to cooperate with it.
l If MAC-based user accounts are used, the access device forwards a detected MAC address as the username and password to the RADIUS server for authentication of the user.
l If a shared user account is used, the access device sends the username and password of the shared account to the RADIUS server for each MAC authentication user.
If the authentication succeeds, the user is granted permission to access the network resources.
Local MAC Authentication
In local MAC authentication, the device authenticates users locally and therefore you need to configure local username accounts for users on the device:
l IIf MAC-based user accounts are used,, configure a local user account for each user, using the user’s MAC address as both the username and password.
l If a shared user account is used, configure a single local user account for all users.
Related Concepts
MAC Authentication Timers
MAC authentication uses these timers:
l Offline detect timer – Sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle for two consecutive intervals, the device logs the user out and stops accounting for the user.
l Quiet timer – Sets the interval that the device must wait before it can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.
l Server timeout timer – Sets the interval that the access device waits for a response from a RADIUS server before it regards the RADIUS server unavailable. If the timer expires during MAC authentication, the user cannot access the network.
VLAN Assignment
For separation of unauthenticated users or users failing authentication from restricted network resources, users are originally put in a VLAN different from that in which the restricted network resources reside. After a user passes MAC authentication, the RADIUS server assigns the restricted resources VLAN to the user as the authorized VLAN, and then the device adds the port connecting the user to the authorized VLAN. As a result, the user can access those restricted network resources.
Authorization ACLs
You can specify an authorization ACL in the user account for a MAC authentication user to control its access to network resources. After the user passes MAC authentication, the authentication server, either the local access device or a RADIUS server, assigns the ACL onto the access port to filter the traffic from this user. You can change ACL rules while the user is online.
You must configure the ACLs on the access device, whether the MAC authentication server is the access device or a RADIUS server.
Configuring MAC Authentication
Configuration Prerequisites
l Create and configure an ISP domain.
l For local authentication, create the local users and configure the passwords.
l For RADIUS authentication, ensure that a route is available between the device and the RADIUS server and configure the username and password on the RADIUS server.
When configuring the username and password on the local or remote authentication server, note the following:
l The type of username and password must be consistent with that used for MAC authentication configured on the device.
l If the MAC address of a user is to be used as the username and password for MAC address authentication, all letters in the MAC address must be in lower case.
l The service type of the local users must be configured as lan-access.
Configuration Procedure
Follow these steps to configure MAC authentication:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable MAC authentication globally |
mac-authentication |
Required Disabled by default |
|
Enable MAC authentication for specified ports |
mac-authentication interface interface-list |
Required Use either approach. Disabled by default |
|
interface wlan-bss interface-number mac-authentication quit |
||
|
Set the offline detect timer |
mac-authentication timer offline-detect offline-detect-value |
Optional 300 seconds by default |
|
Set the quiet timer |
mac-authentication timer quiet quiet-value |
Optional 60 seconds by default |
|
Set the server timeout timer |
mac-authentication timer server-timeout server-timeout-value |
Optional 100 seconds by default |
|
Configure the username and password for MAC authentication |
mac-authentication user-name-format { fixed [ account name ] [ password { cipher | simple } password ] | mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] } |
Optional By default, a user’s source MAC address (in lower case) serves as the username and password. |
|
Set the maximum number of online MAC authentication users allowed on a port |
interface interface-type interface-number |
Optional 128 by default |
|
mac-authentication max-user user-number |
l You can configure MAC authentication for ports first. However, the configuration takes effect only after you enable MAC authentication globally.
l For more information about the default ISP domain, see AAA in the Security Configuration Guide.
Specifying an Authentication Domain for MAC Authentication Users
By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can specify authentication domains for MAC authentication users as follows:
l Specify a global authentication domain in system view. This domain setting applies to all ports.
l Specify an authentication domain for an individual port in interface view.
MAC authentication chooses an authentication domain for users on a port in this order: the port-specific domain, the global domain, and the default domain. For more information about authentication domains, see AAA in the Security Configuration Guide.
Follow these steps to specify the authentication domain to be used for MAC authentication:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Specify an authentication domain for MAC authentication users |
mac-authentication domain domain-name |
Required Use either approach By default, no authentication domain is specified and the system default authentication domain is used for MAC authentication users. |
|
interface interface-type interface-number mac-authentication domain domain-name |
Displaying and Maintaining MAC Authentication
|
To do… |
Use the command… |
Remarks |
|
Display MAC authentication information |
display mac-authentication [ interface interface-list ] |
Available in any view |
|
Clear the MAC authentication statistics |
reset mac-authentication statistics [ interface interface-list ] |
Available in user view |
MAC Authentication Configuration Example
For MAC authentication configuration example, see related configuration example in Port Security in the Security Configuration Guide.
