Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 05-Port Security Configuration | 232.31 KB |
Table of Contents
Port Security Configuration Task List
Setting the Maximum Number of Secure MAC Addresses
Setting the Port Security Mode
Configuring the Port Security Mode
Configuring Port Security Features
Configuring Intrusion Protection
Configuring Port Security Traps
Configuring Port Security for WLAN Ports
Setting the Port Security Mode of a WLAN Port
Ignoring the Authorization Information from the Server
Displaying and Maintaining Port Security
Port Security Configuration Examples
Configuring the userLoginSecure Mode
Configuring the macAddressElseUserLoginSecure Mode
Configuring the userLoginSecureExt Mode on a WLAN Port
Cannot Change Port Security Mode When a User Is Online
l The models listed in this document are not applicable to all regions. Please consult your local sales office for the models applicable to your region.
l Support of the H3C WA series WLAN access points (APs) for features may vary by AP model. For more information, see Feature Matrix.
l The interface types and the number of interfaces vary by AP model.
l The term AP in this document refers to common APs, wireless bridges, and mesh APs.
This chapter includes these sections:
l Port Security Configuration Task List
l Setting the Maximum Number of Secure MAC Addresses
l Setting the Port Security Mode
l Configuring Port Security Features
l Configuring Port Security for WLAN Ports
l Ignoring the Authorization Information from the Server
l Displaying and Maintaining Port Security
l Port Security Configuration Examples
l Troubleshooting Port Security
Currently, port security is available for Ethernet ports and Wireless Local Area Network (WLAN) ports. Which port types are supported depends on the command. For more information, see Port Security in the Security Command Reference.
Port Security Overview
Port security is a MAC address-based security mechanism for network access control. It is an extension to 802.1X and MAC authentication. It prevents access from unauthorized devices by checking the source MAC address of inbound traffic and access to unauthorized devices by checking the destination MAC address of outbound traffic.
Port security enables you to control MAC address learning and authentication on ports. This enables the port to learn legal source MAC addresses.
With port security enabled, frames whose source MAC addresses cannot be learned by the device in a security mode are considered illegal; the events that users do not pass 802.1X authentication or MAC authentication are considered illegal.
Upon detection of illegal frames or events, the device takes the pre-defined action automatically. While enhancing the system security, this reduces your maintenance burden greatly.
The security modes of the port security feature provide extended and combined use of 802.1X authentication and MAC authentication. They apply to scenarios that require both 802.1X authentication and MAC authentication, WLAN environments for example. For scenarios that require only 802.1X authentication or MAC authentication, you are recommended to configure 802.1X authentication or MAC authentication rather than port security. For information about 802.1X and MAC authentication, see 802.1X and MAC Authentication in the Security Configuration Guide.
Port Security Features
NTK
The need to know (NTK) feature checks the destination MAC addresses in outbound frames and allows frames to be sent to only devices and hosts that have passed authentication or that are using MAC addresses on the MAC address list. This prevents illegal devices from intercepting network traffic.
Intrusion protection
The intrusion protection feature checks the source MAC addresses in inbound frames for illegal frames and takes a pre-defined action on each detected illegal frame. The action may be disabling the port temporarily, disabling the port permanently, or blocking frames from the illegal MAC address for three minutes (unmodifiable).
Port security traps
You can configure the port security module to send traps for port security events such as login, logoff, and MAC authentication. These traps help you monitor user behaviors.
Port Security Modes
Port security supports a set of port security modes, which fall into two categories:
l Control of MAC addresses learning – Contains two modes, autoLearn and secure. MAC address learning is permitted on a port in autoLearn mode and disabled in secure mode.
l Authentication – Security modes of this category use MAC authentication, or 802.1X authentication or their combinations to implement authentication.
Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication according to the security mode. If an illegal frame or event is detected, the port takes the pre-defined NTK, intrusion protection, or trapping action.
Table 1-1 describes the port security modes and the security features.
|
Security mode |
Description |
Features |
|
noRestrictions |
Port security is disabled on the port and access to the port is not restricted. |
In this mode, neither the NTK nor the intrusion protection feature is triggered. |
|
secure |
MAC address learning is disabled on a port in secure mode, but you can configure MAC addresses by using the mac-address static and mac-address dynamic commands. A port in secure mode allows only frames sourced from secure MAC addresses and manually configured MAC addresses to pass. |
In the mode, the AP will trigger NTK and intrusion protection upon detecting an illegal frame. |
|
userLogin |
In this mode, a port performs 802.1X authentication and implements port-based access control. If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication. |
In this mode, neither NTK nor intrusion protection will be triggered. |
|
userLoginSecure |
In this mode, a port performs 802.1X authentication and implements MAC-based access control. The port services only one user passing 802.1X authentication. |
In any of these modes, the AP will trigger NTK and intrusion protection upon detecting an illegal frame. |
|
userLoginWithOUI |
Similar to the userLoginSecure mode. The difference is that a port in this mode also permits frames from one user whose MAC address contains a specified OUI (organizationally unique identifier). l For wired users, the port performs 802.1X authentication upon receiving 802.1X frames, and performs OUI check upon receiving non-802.1X frames. l For wireless users, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication. |
|
|
macAddressWithRadius |
In this mode, a port performs MAC authentication and services multiple users. |
|
|
macAddressOrUserLoginSecure |
This mode is the combination of the userLoginSecure and macAddressWithRadius modes. l For wired users, the port performs MAC authentication upon receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames. l For a wireless user, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed. |
|
|
macAddressElseUserLoginSecure |
This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. l A port in this mode performs only MAC authentication for non-802.1X frames. l For 802.1X frames, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication. |
|
|
userLoginSecureExt |
In this mode, a port performs 802.1X authentication and implements MAC-based access control. The port supports multiple online 802.1X users. |
|
|
macAddressOrUserLoginSecureExt |
This mode is similar to the macAddressOrUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. |
|
|
macAddressElseUserLoginSecureExt |
This mode is similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. |
l The maximum number of users a port supports equals the maximum number of secure MAC addresses or the maximum number of authenticated users the security mode supports, whichever is smaller.
l For more information, see MAC Address Table in the Layer 2 – LAN Switching Command Reference.
These security mode naming rules may help you remember the modes:
l userLogin specifies 802.1X authentication and port-based access control.
l macAddress specifies MAC address authentication.
l Else specifies that the authentication method before Else is applied first. If the authentication fails, whether to turn to the authentication method following the Else depends on the protocol type of the authentication request.
l In a security mode with Or, which authentication method is to be used depends on the protocol type of the authentication request. However, 802.1X authentication is preferred by wireless users.
l userLogin with Secure specifies 802.1X authentication and MAC-based access control.
l Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A security mode without Ext allows only one 802.1X user to be authenticated and get online.
Support for WLAN
Four port security modes are added to support WLAN ports: presharedKey, macAddressAndPresharedKey, and userlLoginSecureExtOrPresharedKey. These port security modes implement a link-layer security mechanism for wireless access APs.
Table 1-2 details these modes.
Table 1-2 Port security modes for WLAN ports
|
Security mode |
Description |
Features |
|
presharedKey |
In this mode, a user must use a pre-configured static key, namely the pre-shared key (PSK), to negotiate with the device and can access the port only after the negotiation succeeds. |
The device triggers NTK and intrusion protection upon detecting an illegal frame. |
|
macAddressAndPresharedKey |
In this mode, a user must pass MAC authentication and then use the pre-configured PSK to negotiate with the device. Only when the negotiation succeeds, can the user access the device. |
|
|
userLoginSecureExtOrPresharedKey |
In this mode, a user interacts with the device, choosing to undergo the UserLoginSecure mode or PSK negotiation. In this mode, a user interacts with the device, choosing to undergo the UserLoginSecure mode or PSK mode. |
PSK users are those who have passed authentication in presharedKey mode. A device and each of its WLAN ports have their own upper limits on the number of PSK users, and these limits are unmodifiable.
l In presharedKey mode, the total number of PSK users on a port cannot exceed the maximum number of wireless users that the port supports or the maximum number of secure MAC addresses set for the port (if set), whichever is smaller. The total number of PSK users on a device is restricted by the corresponding specification of the device, which may varies by device model.
l In macAddressAndPresharedKey mode, the total number of PSK users on a port cannot exceed the upper limit of MAC authentication users on the port or the maximum number of secure MAC addresses set for the port (if set), whichever is smaller. The total number of PSK users on a device cannot exceed the upper limit of MAC authentication users on the device.
l In userLoginSecureExtOrPresharedKey mode, the total number of PSK users on a device and that on a port are limited in the same way as in presharedKey mode, except that the sum of PSK users and 802.1X users on a port cannot exceed the maximum number of secure MAC addresses for the port (if set) either. The total number of 802.1X users on a device and that on a port are limited by the upper limit of 802.1X authentication users.
Currently, the four port security modes apply only to WLAN ports.
With WLAN access, if the source MAC address and source VLAN of an 802.1X or MAC authentication user match a MAC address entry in the MAC address table, the user cannot access the wireless network because no wireless link can be established for the user.
Port Security Configuration Task List
Complete the following tasks to configure port security:
|
Task |
Remarks |
|
|
Required |
||
|
Optional |
||
|
Required |
||
|
Optional Choose one or more features as required. |
||
|
Required for WLAN products |
||
|
Optional |
||
Enabling Port Security
Configuration Prerequisites
Before enabling port security, you need to disable 802.1X and MAC authentication globally.
Configuration Procedure
Follow these steps to enable port security:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable port security |
port-security enable |
Required Enabled by default |
Note that:
1) Enabling port security resets the following configurations on a port to the bracketed defaults. Then, values of these configurations cannot be changed manually; the system will adjust them based on the port security mode automatically:
l 802.1X (disabled), port access control method (macbased), and port authorization mode (auto)
l MAC authentication (disabled)
2) Disabling port security resets the following configurations on a port to the bracketed defaults:
l Port security mode (noRestrictions)
l 802.1X (disabled), port access control method (macbased), and port authorization mode (auto)
l MAC authentication (disabled)
3) Port security cannot be disabled if there is any user present on a port.
l For more information about 802.1X configuration, see 802.1X in the Security Configuration Guide.
l For more information about MAC authentication configuration, see MAC Authentication in the Security Configuration Guide.
Setting the Maximum Number of Secure MAC Addresses
The maximum number of users a port supports in a port security mode is determined by the maximum number of secure MAC addresses or the maximum number of authenticated users that the security mode supports, whichever is smaller.
By setting the maximum number of MAC addresses allowed on a port, you can:
l Control the number of secure MAC addresses that a port can learn for port security.
l Control the maximum number of users who are allowed to access the network through the port.
Follow these steps to set the maximum number of secure MAC addresses allowed on a port:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Set the maximum number of secure MAC addresses allowed on a port |
port-security max-mac-count count-value |
Required Not limited by default |
Wired ports of the device support the setting of maximum number of secure MAC addresses on a port.
This configuration is independent of the MAC learning limit described in MAC Address Table in the Layer 2 – LAN Switching Configuration Guide.
Setting the Port Security Mode
Before setting the port security mode, ensure that:
l 802.1X is disabled, the port access control method is macbased, and the port authorization mode is auto.
l MAC authentication is disabled.
The requirements above must be all met. Otherwise, an error message appears when you set a security mode on the port.
On the other hand, after setting the port security mode on a port, you cannot change any of the configurations above.
l With port security disabled, you can configure the port security mode, but your configuration does not take effect.
l You cannot change the port security mode of a port with users online.
Configuring the Port Security Mode
Follow these steps to configure the port security mode:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set an OUI value for user authentication |
port-security oui oui-value index index-value |
Optional Not configured by default. The command is required for the userLoginWithOUI mode. |
|
Enter interface view |
interface interface-type interface-number |
The userLoginWithOUI mode applies to only Layer 2 Ethernet ports. |
|
Set a port security mode |
port-security port-mode { mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui } |
Required By default, a port operates in noRestrictions mode. |
l An OUI, as defined by the Institute of Electrical and Electronics Engineers (IEEE), is the first 24 bits of the MAC address, which uniquely identifies a device vendor.
l You can configure multiple OUI values. However, a port in userLoginWithOUI mode allows only one 802.1X user and one user whose MAC address contains a specified OUI to pass authentication at the same time.
l After enabling port security, you can change the port security mode of a port only when the port is operating in noRestrictions mode, the default mode. To change the port security mode of a port operating in any other mode, use the undo port-security port-mode command to restore the default port security mode at first.
l You cannot change the port security mode of a port with users online.
Configuring Port Security Features
Configuring NTK
The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are forwarded to only authenticated devices. Any unicast frame with an unknown destination MAC address is discarded.
The NTK feature supports three modes:
l ntkonly: Forwards only unicast frames with authenticated destination MAC addresses.
l ntk-withbroadcasts: Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses.
l ntk-withmulticasts: Forwards only broadcast frames, multicast frames, and unicast frames with authenticated destination MAC addresses.
Follow these steps to configure the NTK feature:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Configure the NTK feature |
port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly } |
Required Be default, NTK is disabled on a port and all frames are allowed to be sent. |
Support for the NTK feature depends on the port security mode.
Configuring Intrusion Protection
The intrusion protection enables a device to take one of the following actions in response to illegal frames:
l blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC addresses list and discards the frames. All subsequent frames sourced from a blocked MAC address will be dropped. A blocked MAC address is restored to normal state after being blocked for three minutes. The interval is fixed and cannot be changed.
l disableport: Disables the port until you bring it up manually.
l disableport-temporarily: Disables the port for a specified period of time. The period can be configured with the port-security timer disableport command.
Follow these steps to configure the intrusion protection feature:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Configure the intrusion protection feature |
port-security intrusion-mode { blockmac | disableport | disableport-temporarily } |
Required By default, intrusion protection is disabled. The disableport keyword is not supported on WLAN-BSS ports. |
|
Return to system view |
quit |
— |
|
Set the silence timeout during which a port remains disabled |
port-security timer disableport time-value |
Optional 20 seconds by default |
On a port operating in either the macAddressElseUserLoginSecure mode or the macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC authentication and 802.1X authentication for the same frame fail.
Configuring Port Security Traps
You can configure the port security module to send traps for four categories of events:
l addresslearned: Learning of new MAC addresses.
l dot1xlogfailure/dot1xlogon/dot1xlogoff: 802.1X authentication failure, success, and 802.1X user logoff.
l ralmlogfailure/ralmlogon/ralmlogoff: MAC authentication failure, MAC authentication user logon, and MAC authentication user logoff.
l intrusion: Detection of illegal frames.
Follow these steps to configure port security traps:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable port security traps |
port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon } |
Required Disabled by default. |
Configuring Port Security for WLAN Ports
The key negotiation function depends on the port security modes for WLAN port, as shown in Table 1-3.
Table 1-3 Port security configuration for WLAN ports
|
Port security mode |
Description |
|
presharedKey, userLoginSecureExt, userLoginSecureExtOrPresharedKey and macAddressAndPresharedKey |
On WPA or RSN networks using any of these modes, key negotiation must be enabled. l In presharedKeyand macAddressAndPresharedKey modes, you need to configure the PSK. l In userLoginSecureExt mode, you do not need to configure the PSK. l In userLoginSecureExtOrPresharedKey mode, you can determine whether to configure any PSK. |
|
Port security modes other than presharedKey, userLoginSecureExtOrPresharedKey, and macAddressAndPresharedKey |
No key negotiation is performed and you do not need to enable key negotiation. |
l When port security is not enabled, if the wireless protocol-related service template is of the crypto type, users cannot get online directly; if the wireless protocol-related service template is of the clear type, users can get online directly.
l For more information about the types of the wireless protocol-related service templates bound to WLAN ports, see related WLAN configuration guides.
l By default, 802.1X periodically sends multicast trigger frames unsolicitedly to authenticate clients. To save the bandwidth on WLAN ports, you are recommended to disable the multicast trigger function. For more information about configurations, see 802.1X in the Security Configuration Guide.
Setting the Port Security Mode of a WLAN Port
Follow these steps to set the port security mode of a WLAN port:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Set a port security mode for the WLAN port |
port-security port-mode { mac-and-psk | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | psk | userlogin-secure | userlogin-secure-ext | userlogin-secure-ext-or-psk | userlogin-secure-or-mac | userlogin-secure-or-mac-ext } |
Required By default, a port operates in noRestrictions mode |
The presharedKey, macAddressAndPresharedKey, and userlLoginSecureExtOrPresharedKey modes apply to only WLAN-BSS ports.
Enabling Key Negotiation
After a user passes 802.1X authentication, a WLAN port uses EAPOL-Key frames to negotiate the link-layer session key with the user if the key negotiation function is enabled.
l If key negotiation is enabled, an authenticated user is allowed to access to the port only after the key negotiation succeeds.
l If key negotiation is disabled, a user can directly access the port after passing authentication.
Follow these steps to enable key negotiation:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Enable key negotiation of the 11key type |
port-security tx-key-type 11key |
Required Disabled by default |
Configuring a PSK
A PSK pre-configured on the device is used to negotiate the session key between the user and the device.
Follow these steps to configure a PSK:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Configure a PSK |
port-security preshared-key { pass-phrase | raw-key } key |
Required By default, no PSK is configured. |
Ignoring the Authorization Information from the Server
The authorization information is delivered by the RADIUS server to the device after an 802.1X user or MAC authenticated user passes RADIUS authentication. You can configure a port to ignore the authorization information from the RADIUS server.
Follow these steps to configure a port to ignore the authorization information from the RADIUS server:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter interface view |
interface interface-type interface-number |
— |
|
Ignore the authorization information from the RADIUS server |
port-security authorization ignore |
Required By default, a port uses the authorization information from the RADIUS server. |
To configure the port-security authorization ignore command on a port with WEP encryption enabled, 802.1X users must use the clear type service template and use the iNode client to initiate authentication.
Displaying and Maintaining Port Security
|
To do… |
Use the command… |
Remarks |
|
Display port security configuration information, operation information, and statistics about one or more ports or all ports |
display port-security [ interface interface-list ] |
Available in any view |
|
Display information about blocked MAC addresses |
display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] |
Available in any view |
|
Display information about PSK users |
display port-security preshared-key user [ interface interface-type interface-number ] |
Available in any view |
Port Security Configuration Examples
Configuring the userLoginSecure Mode
Network requirements
The WLAN client connects to the wireless port of the AP. The AP authenticates the client by the RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
l RADIUS server 192.168.1.2/24 functions as the primary authentication server and the secondary accounting server, and RADIUS server 92.168.1.3/24 functions as the secondary authentication server and the primary accounting server. The shared key for authentication is name and that for accounting is money.
l All users use the default RADIUS scheme in the ISP domain named sun for authentication, authorization, and accounting. The domain can accommodate up to 30 users.
l The RADIUS server response timeout time is five seconds and the maximum number of RADIUS packet retransmission attempts is five. The AP sends real-time accounting packets to the RADIUS server at an interval of 15 minutes, and sends user names without domain names to the RADIUS server.
Configure port WLAN-BSS 1 of the AP to:
l Allow only authenticated 802.1X users’ packets to pass through.
l Allows only one 802.1X user to log on.
Figure 1-1 Network diagram for configuring the userLoginSecure mode
Configuration procedure
l The following configuration steps cover some AAA/RADIUS configuration commands. For more information, see AAA in the Security Command Reference.
l Configurations on the host and RADIUS servers are omitted.
1) Configure the service template
# Create service template 108 of the clear type, configure its SSID as userLoginSecure, enable open system authentication, and enable the service template.
<AP> system-view
[AP] wlan service-template 108 clear
[AP-wlan-st-108] ssid userLoginSecure
[AP-wlan-st-108] authentication-method open-system
[AP-wlan-st-108] service-template enable
[AP-wlan-st-108] quit
# Create a WLAN-BSS interface and set its port security mode to userLoginSecure.
[AP] interface WLAN-BSS1
[AP-WLAN-BSS1] port-security port-mode userlogin-secure
[AP-wlan-st-108] quit
# Set the radio type to 802.11a for interface WLAN-Radio 1/0/1, and bind interface WLAN-BSS 1 with service template 108.
[AP] interface WLAN-Radio1/0/1
[AP-WLAN-Radio1/0/1] radio-type dot11a
[AP-WLAN-Radio1/0/1] service-template 108 interface wlan-bss 1
[AP-WLAN-Radio1/0/1]quit
# Configure a RADIUS scheme named radsun.
<AP> system-view
[AP] radius scheme radsun
[AP-radius-radsun] primary authentication 192.168.1.2
[AP-radius-radsun] primary accounting 192.168.1.3
[AP-radius-radsun] secondary authentication 192.168.1.3
[AP-radius-radsun] secondary accounting 192.168.1.2
[AP-radius-radsun] key authentication name
[AP-radius-radsun] key accounting money
[AP-radius-radsun] timer response-timeout 5
[AP-radius-radsun] retry 5
[AP-radius-radsun] timer realtime-accounting 15
[AP-radius-radsun] user-name-format without-domain
[AP-radius-radsun] quit
# Configure an authentication domain named sun.
[AP] domain sun
[AP-isp-sun] authentication default radius-scheme radsun
[AP-isp-sun] authorization default radius-scheme radsun
[AP-isp-sun] accounting default radius-scheme radsun
[AP-isp-sun] access-limit enable 30
[AP-isp-sun] quit
# Configure authentication domain sun as the default domain.
[AP] domain default enable sun
2) Configure port security
# Enable port security.
[AP] port-security enable
3) Verify the configuration
After completing the above configurations, you can use the following command to view the configuration information of the RADIUS scheme named radsun:
[AP]display radius scheme radsun
SchemeName : radsun
Index : 0 Type : standard
Primary Auth Server:
IP: 192.168.1.2 Port: 1812 State: active
Encryption Key : Not configured
Primary Acct Server:
IP: 192.168.1.3 Port: 1813 State: active
Encryption Key : Not configured
Second Auth Server:
IP: 192.168.1.3 Port: 1812 State: active
Encryption Key : Not configured
Second Acct Server:
IP: 192.168.1.2 Port: 1813 State: active
Encryption Key : Not configured
Auth Server Encryption Key : name
Acct Server Encryption Key : money
Accounting-On packet disable, send times : 5 , interval : 3s
Interval for timeout(second) : 5
Retransmission times for timeout : 5
Interval for realtime accounting(minute) : 15
Retransmission times of realtime-accounting packet : 5
Retransmission times of stop-accounting packet : 500
Quiet-interval(min) : 5
Username format : without-domain
Data flow unit : Byte
Packet unit : one
Use the following command to view the configuration information of the ISP domain named sun:
[AP] display domain sun
Domain = sun
State = Active
Access-limit = 30
Accounting method = Required
Default authentication scheme : radius=radsun
Default authorization scheme : radius=radsun
Default accounting scheme : radius=radsun
Domain User Template:
Idle-cut = Disabled
Self-service = Disabled
Use the following command to view the port security configuration information:
<AP> display port-security interface WLAN-BSS1
[AP] display port-security interface WLAN-BSS1
Equipment port-security is enabled
Trap is disabled
Disableport Timeout: 20s
OUI value:
WLAN-BSS1 is link-up
Port mode is userLoginSecure
NeedToKnow mode is disabled
Intrusion Protection mode is NoAction
Max MAC address number is not configured
Stored MAC address number is 0
Authorization is permitted
After an 802.1X user gets online, you can see that the number of secure MAC addresses is 1. You can also use the following command to view information about the 802.1X user:
[AP] display dot1x interface WLAN-BSS1
Equipment 802.1X protocol is enabled
EAP authentication is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
Reauth Period 3600 s
The maximal retransmitting times 2
The maximum 802.1X user resource number is 128 per slot
Total current used 802.1X resource number is 1
WLAN-BSS1 is link-up
802.1X protocol is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Handshake is enabled
Periodic reauthentication is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
802.1X Multicast-trigger is enabled
Mandatory authentication domain: NOT configured
Guest VLAN: NOT configured
Auth-Fail VLAN: NOT configured
Max number of on-line users is 128
EAPOL Packet: Tx 188, Rx 55
Sent EAP Request/Identity Packets : 129
EAP Request/Challenge Packets: 14
EAP Success Packets: 2, Fail Packets: 37
Received EAPOL Start Packets : 10
EAPOL LogOff Packets: 3
EAP Response/Identity Packets : 21
EAP Response/Challenge Packets: 20
Error Packets: 0
1. Unauthenticated user : MAC address: 000e-35b2-8be9
Controlled User(s) amount to 1
Configuring the macAddressElseUserLoginSecure Mode
Network requirements
The WLAN client connects to the wireless port of the AP. The AP authenticates the client by the RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
Configure port WLAN-BSS 1 of the AP to:
l Allows multiple concurrent MAC authenticated users to log on.
l For 802.1X users, perform MAC authentication first and then, if MAC authentication fails, 802.1X authentication. Allow only one 802.1X user to log on.
l Use MAC-based accounts for MAC authentication. Set the total number of MAC authenticated users and 802.1X-authenticated users to 64.
l Enable NTK to prevent frames from being sent to unknown MAC addresses.
Figure 1-2 Network diagram for configuring the macAddressElseUserLoginSecure mode
Configuration procedure
l Configurations about RADIUS scheme and ISP domain are similar to those described in Configuring the userLoginSecure Mode, and are thus omitted here.
l Configurations on the host and RADIUS servers are omitted.
1) Configure the service template
# Create service template 108 of the clear type, configure its SSID as macAddressElseUserLoginSecure, enable open system authentication, and enable the service template.
<AP> system-view
[AP] wlan service-template 108 clear
[AP-wlan-st-108] ssid macAddressElseUserLoginSecure
[AP-wlan-st-108] authentication-method open-system
[AP-wlan-st-108] service-template enable
[AP-wlan-st-108] quit
# Create a WLAN-BSS interface, and set the maximum number of secure MAC addresses on the port to 64.
[AP] interface wlan-bss1
[AP-WLAN-BSS1] port-security max-mac-count 64
# Specify the port security mode as macAddressElseUserLoginSecure.
[AP-WLAN-BSS1] port-security port-mode mac-else-userlogin-secure
# Set the NTK mode of the port to ntkonly.
[AP-WLAN-BSS1] port-security ntk-mode ntkonly
[AP-WLAN-BSS1] quit
# Set the radio type to 802.11a for interface WLAN-Radio 1/0/1, and bind interface WLAN-BSS 1 with service template 108.
[AP] interface wlan-radio1/0/1
[AP-WLAN-Radio1/0/1] radio-type dot11a
[AP-WLAN-Radio1/0/1] service-template 108 interface wlan-bss 1
[AP-WLAN-Radio1/0/1] quit
2) Configure port security
# Enable port security.
[AP] port-security enable
# Configure a MAC authentication user, setting the username to aaa and the password to 123456.
[AP] mac-authentication user-name-format fixed account aaa password simple 123456
# Configure an ISP domain named sun for MAC authentication.
[AP] mac-authentication domain sun
3) Verify the configuration
After completing the above configurations, you can use the following command to view the port security configuration information:
<AP> display port-security interface wlan-bss1
Equipment port-security is enabled
Trap is disabled
Disableport Timeout: 20s
OUI value:
WLAN-BSS1 is link-up
Port mode is macAddressElseUserLoginSecure
NeedToKnow mode is NeedToKnowOnly
Intrusion Protection mode is NoAction
Max MAC address number is 64
Stored MAC address number is 0
Authorization is permitted
Use the following command to view MAC authentication information:
<AP> display mac-authentication interface WLAN-BSS1
MAC address authentication is enabled.
User name format is MAC address in lowercase, like xx-xx-xx-xx-xx-xx
Fixed username:aaa
Fixed password:123456
Offline detect period is 300s
Quiet period is 60s
Server response timeout value is 100s
The max allowed user number is 128 per slot
Current user number amounts to 1
Current domain is sun
Silent MAC User info:
MAC Addr From Port Port Index
WLAN-BSS1 is link-up
MAC address authentication is enabled
Authenticate success: 1, failed: 13
Max number of on-line users is 128
Current online user number is 1
MAC Addr Authenticate State Auth Index
000e-35b2-8be9 MAC_AUTHENTICATOR_SUCCESS 18
Use the following command to view 802.1X authentication information:
<AP> display dot1x interface WLAN-BSS1
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
Reauth Period 3600 s
The maximal retransmitting times 2
The maximum 802.1X user resource number is 128 per slot
Total current used 802.1X resource number is 1
WLAN-BSS1 is link-up
802.1X protocol is enabled
Proxy trap checker is disabled
Proxy logoff checker is disabled
Handshake is disabled
Periodic reauthentication is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
802.1X Multicast-trigger is disabled
Mandatory authentication domain: NOT configured
Guest VLAN: NOT configured
Auth-Fail VLAN: NOT configured
Max number of on-line users is 128
EAPOL Packet: Tx 19, Rx 7
Sent EAP Request/Identity Packets : 14
EAP Request/Challenge Packets: 2
EAP Success Packets: 1, Fail Packets: 2
Received EAPOL Start Packets : 1
EAPOL LogOff Packets: 0
EAP Response/Identity Packets : 4
EAP Response/Challenge Packets: 1
Error Packets: 0
1. Authenticated user : MAC address: 000e-35b2-8be9
Controlled User(s) amount to 1
Configuring the userLoginSecureExt Mode on a WLAN Port
Network requirements
WLAN Clients connect to the wireless port of the AP. The AP uses the RADIUS server to authenticate its clients. If the authentication for a client succeeds, key negotiation is performed. If key negotiation succeeds, the client is authorized to access the network resources.
Figure 1-3 Network diagram for configuring the userLoginSecureExt mode
Configuration procedure
l The following configuration steps cover some AAA/RADIUS configuration commands. For details about the commands, see AAA in the Security Command Reference.
l Configurations on the clients and RADIUS server are omitted.
1) Perform RADIUS-related configurations. See relevant steps in Configuring the userLoginSecure Mode.
2) Configure port security.
# Enable port security.
<AP> system-view
[AP] port-security enable
# Set the 802.1X authentication method to EAP.
[AP] dot1x authentication-method eap
# Enter the view of port WLAN-BSS 1.
[AP] interface wlan-bss 1
# Set the port security mode to userLoginSecureExt.
[AP-WLAN-BSS1] port-security port-mode userlogin-secure-ext
# Enable key negotiation on the port.
[AP-WLAN-BSS1] port-security tx-key-type 11key
# Disable the online handshake function and 802.1X multicast trigger function.
[AP-WLAN-BSS1] undo dot1x handshake
[AP-WLAN-BSS1] undo dot1x multicast-trigger
[AP-WLAN-BSS1] quit
3) Configure the WLAN service template.
# Create service template 1 of the crypto type, configure its SSID as sectest, and enable open system authentication.
[AP] wlan service-template 1 crypto
[AP-wlan-st-1] ssid sectest
[AP-wlan-st-1] authentication-method open-system
# Enable the CCMP cipher suite, enable the RSN-IE in the beacon and probe responses, and enable the service template.
[AP-wlan-st-1] cipher-suite ccmp
[AP-wlan-st-1] security-ie rsn
[AP-wlan-st-1] service-template enable
[AP-wlan-st-1] quit
# Set the radio type to 802.11a for interface WLAN-Radio 1/0/1, and bind interface WLAN-BSS 1 with service template 1.
[AP] interface WLAN-Radio 1/0/1
[AP-WLAN-Radio1/0/1] radio-type dot11a
[AP-WLAN-Radio1/0/1]service-template 1 interface WLAN-BSS 1
4) Verify the configuration.
After completing the above configurations, you can use the following command to view the port security configuration information:
<AP> display port-security interface wlan-bss1
Equipment port-security is enabled
Trap is disabled
Disableport Timeout: 20s
OUI value:
WLAN-BSS1 is link-up
Port mode is userLoginSecureExt
NeedToKnow mode is disabled
Intrusion Protection mode is NoAction
Max MAC address number is not configured
Stored MAC address number is 0
Authorization is permitted
If a user comes online, you can use the display connection command and the display wlan client command to view information about the user.
<AP> display connection ucibindex 315
Index=315 , [email protected]
MAC=0017-9a00-7b2f
IP=N/A
Access=8021X ,AuthMethod=EAP
Port Type=Ethernet,Port Name=WLAN-BSS1
Initial VLAN=1, Authorization VLAN=N/A
ACL Group=Disable
CAR=Disable
Priority=Disable
Start=2006-11-16 16:58:51 ,Current=2006-11-16 16:59:29 ,Online=00h00m38s
Total 1 connection matched.
<AP> display wlan client
Total Number of Clients: 1
Client Information
--------------------------------------------------------------------------
MAC Address BSSID AID State PS Mode
--------------------------------------------------------------------------
0017-9a00-7b2f 000f-e210-2030 1 Running Active
Troubleshooting Port Security
Cannot Change Port Security Mode When a User Is Online
Symptom
Port security mode cannot be changed when an 802.1X-authenticated or MAC authenticated user is online.
[AP-WLAN-BSS1] undo port-security port-mode
Error: Interface WLAN-BSS1 uses enabled SSID: userLoginSecure, please disable t
he SSID and retry..
Analysis
Changing port security mode is not allowed when an 802.1X-authenticated or MAC authenticated user is online.
Solution
Disable the service template, and then change the port security mode.
[AP-WLAN-BSS1] quit
[AP] wlan service-template 1
[AP-wlan-st-1] service-template disable
[AP-wlan-st-1] quit
[AP] interface WLAN-BSS 1
[AP-WLAN-BSS 1] undo port-security port-mode
