H3C S3100-52P Ethernet Switch Operation Manual-Release 1500(V1.02)

HomeSupportResource CenterSwitchesH3C S3100 Switch SeriesH3C S3100 Switch SeriesTechnical DocumentsConfigure & DeployConfiguration GuidesH3C S3100-52P Ethernet Switch Operation Manual-Release 1500(V1.02)
17-Centralized MAC Address Authentication Operation

Chapter 1  Centralized MAC Address Authentication Configuration

1.1  Centralized MAC Address Authentication Overview

Centralized MAC address authentication is port- and MAC address-based authentication used to control user permissions to access a network. Centralized MAC address authentication can be performed without client-side software. With this type of authentication employed, a switch authenticates a user upon detecting the MAC address of the user for the first time.

Centralized MAC address authentication can be implemented in the following two modes:

l           MAC address mode, where user MAC serves as both the user name and the password.

l           Fixed mode, where user names and passwords are configured on a switch in advance. In this case, every user corresponds to a specific user name and password configured on the switch.

As for S3100-52P Ethernet Switch, authentication can be performed locally or on a RADIUS server.

1)         When a RADIUS server is used for authentication, the switch serves as a RADIUS client. Authentication is carried out through the cooperation of switches and the RADIUS server.

l           In MAC address mode, a switch sends user MAC addresses detected to the RADIUS server as both user names and passwords. The rest handling procedures are the same as that of the common RADIUS authentication.

l           In fixed mode, a switch sends the user name and password previously configured for the user to be authenticated to the RADIUS server and replaces the calling-station-id field of the RADIUS packet with the MAC address of the user. The rest handling procedures are the same as that of the common RADIUS authentication.

l           A user can access a network upon passing the authentication performed by the DADIUS server.

2)         When authentications are performed locally, users are authenticated by switches. In this case,

l           For MAC address mode, you can specify the format to enter the MAC addresses used as both user name and password by executing corresponding commands. That is, to specify whether or not MAC addresses are provided in the hyphened form. The input format should be the same as the configured format, or else, the authentication will fail.

l           For fixed mode, configure the local user names and passwords as those for fixed mode.

l           The service type of a local user needs to be configured as lan-access.

1.2  Centralized MAC Address Authentication Configuration

The following are centralized MAC address authentication configuration tasks:

l           Enabling Centralized MAC Address Authentication Globally

l           Enabling Centralized MAC Address Authentication for a Port

l           Configuring Centralized MAC Address Authentication Mode

l           Configuring the ISP Domain for MAC Address Authentication Users

l           Configuring the Timers Used in Centralized MAC Address Authentication

 

  Caution:

The configuration of the maximum number of learned MAC addresses (refer to the mac-address max-mac-count command) is unavailable for the ports with centralized MAC address authentication enabled. Similarly, the centralized MAC address authentication is unavailable for the ports with the maximum number of learned MAC addresses configured.

 

1.2.1  Enabling Centralized MAC Address Authentication Globally

Table 1-1 Enable centralized MAC address authentication

Operation

Command

Description

Enter system view

system-view

Enable centralized MAC address authentication globally

mac-authentication

Required

By default, centralized MAC address authentication is globally disabled.

 

1.2.2  Enabling Centralized MAC Address Authentication for a Port

You can enable centralized MAC address authentication for a port in system view or in Ethernet port view.

Table 1-2 Enable centralized MAC address authentication for a port in system view

Operation

Command

Description

Enter system view

system-view

Enable centralized MAC address authentication for specified ports

mac-authentication interface interface-list

Required

By default, centralized MAC address authentication is disabled on a port.

 

Table 1-3 Enable centralized MAC address authentication for a port in Ethernet port view

Operation

Command

Description

Enter system view

system-view

Enter Ethernet port view

interface interface-type interface-number

Enable centralized MAC address authentication for the current port

mac-authentication

Required

By default, centralized MAC address authentication is disabled on a port.

 

Centralized MAC address authentication for a port can be configured but does not take effect before global centralized MAC address authentication is enabled. After global centralized MAC address authentication is enabled, ports enabled with the centralized MAC address authentication will perform the authentication immediately.

1.2.3  Configuring Centralized MAC Address Authentication Mode

Table 1-4 Configure centralized MAC address authentication mode

Operation

Command

Description

Enter system view

system-view

Configure centralized MAC address authentication mode as MAC address mode

mac-authentication authmode usernameasmacaddress [ usernameformat { with-hyphen | without-hyphen } ]

Optional

By default, the MAC address mode is adopted.

Configure centralized MAC address authentication mode as fixed mode

mac-authentication authmode usernamefixed

Optional

Set a user name for fixed mode

mac-authentication authusername username

Required for fixed mode

By default, the user name is mac and no password is needed.

Set the password for fixed mode

mac-authentication authpassword password

Optional

 

1.2.4  Configuring the ISP Domain for MAC Address Authentication Users

Table 1-5 lists the operations to configure the ISP domain for centralized MAC address authentication users.

Table 1-5 Configure the ISP domain for MAC address authentication users

Operation

Command

Description

Enter system view

system-view

Configure the ISP domain for MAC address authentication users

mac-authentication domain isp-name

Required

By default, the “default domain” is used as the ISP domain.

 

1.2.5  Configuring the Timers Used in Centralized MAC Address Authentication

The following timers are used in centralized MAC address authentication:

l           Offline detect timer, which sets the time interval for a switch to test whether a user goes offline. Upon detecting a user is offline, a switch notifies the RADIUS server of the user to trigger the RADIUS server to stop the accounting on the user.

l           Quiet timer, which sets the quiet period for a switch. After a user fails to pass the authentication performed by a switch, the switch quiets for a specific period (the quiet period) before it authenticates users again.

l           Server timeout timer. During authentication, the switch prohibits the user from accessing the network through the corresponding port if the connection between the switch and RADIUS server times out. In this case, the user can have it authenticated through another port of the switch.

Table 1-6 lists the operations to configure the timers used in centralized MAC address authentication.

Table 1-6 Configure the timers used in centralized MAC address authentication

Operation

Command

Description

Enter system view

system-view

Configure a timer used in centralized MAC address authentication

mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }

Optional

The default settings of the timers used in centralized MAC address authentication are as follows:

l      Offline detect timer: 300 seconds

l      Quiet timer: 60 seconds

l      Server timeout timer: 100 seconds

 

1.3  Displaying and Debugging Centralized MAC Address Authentication

After the above configuration, you can execute the display command in any view to display system running of centralized MAC address authentication configuration, and to verify the effect of the configuration. You can execute the reset command in user view to clear the statistics of centralized MAC address authentication.

Table 1-7 Display and debug centralized MAC address authentication

Operation

Command

Description

Display global or port information about centralized MAC address authentication

display mac-authentication [ interface interface-list ]

This command can be executed in any view.

Clear the statistics of global or port centralized MAC address authentication

reset mac-authentication statistics [ interface interface-type interface-number ]

This command is executed in user view

 

1.4  Centralized MAC Address Authentication Configuration Example

 

&  Note:

Centralized MAC address authentication configuration is similar to that of 802.1x. In this example, the differences between the two lie in:

l      Centralized MAC address authentication needs to be enabled both globally and for a port.

l      In MAC address mode, MAC address of locally authenticated user is used as both user name and password.

l      In MAC address mode, MAC address of user authenticated by RADIUS server need to be configured as both user name and password on the RADIUS server.

 

The following section describes how to enable centralized MAC address authentication globally and for a port, and how to configure a local user. For other related configuration, refer to the configuration examples in “802.1x” Configuration.

# Enable centralized MAC address authentication for Ethernet 1/0/2 port.

<H3C> system-view

[H3C] mac-authentication interface Ethernet 1/0/2

# Configure centralized MAC address authentication mode as MAC address mode, and use hyphened MAC addresses as the user names and passwords for authentication.

[H3C] mac-authentication authmode usernameasmacaddress userformat with-hyphen

# Add a local user.

l           Configure the user name and password.

[H3C] local-user 00-e0-fc-01-01-01

[H3C-luser-00-e0-fc-01-01-01] password simple 00-e0-fc-01-01-01

l           Set service type of the local user to lan-access.

[H3C-luser-00-e0-fc-01-01-01] service-type lan-access

# Enable centralized MAC address authentication globally.

[H3C-luser-00-e0-fc-01-01-01] quit

[H3C] mac-authentication

# Configure the domain name for centralized MAC address authentication users as aabbcc163.net.

[H3C] mac-authentication domain aabbcc163.net

For domain-related configuration, refer to the “802.1x” Configuration Example part of this manual.