Login
- Table of Contents
-
- 10-Security Configuration Examples
- 00-S12500_AAA_Configuration_Examples
- 01-S12500_MAC_Authentication_Configuration_Examples
- 02-S12500_Portal_Configuration_Examples
- 03-S12500_IPv6_Portal_Authentication_Configuration_Examples
- 04-S12500_SSH_Configuration_Examples
- 05-S12500_IP_Source_Guard_Configuration_Examples
- 06-S12500_Attack_Protection_Configuration_Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-S12500_MAC_Authentication_Configuration_Examples | 125.64 KB |
Contents
Example: Configuring local MAC authentication
Configuration restrictions and guidelines
Example: Configuring RADIUS-based MAC authentication
Configuration restrictions and guidelines
Introduction
This document provides examples for configuring local MAC authentication and RADIUS-based MAC authentication.
Prerequisites
The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of H3C MAC authentication.
Example: Configuring local MAC authentication
Network requirements
As shown in Figure 1, configure local MAC authentication on GigabitEthernet 2/0/1 to allow only Host A to access the network.
Configure the switch to detect whether a user has gone offline every 180 seconds.
Set the quiet timer to 150 seconds. If a user fails MAC authentication, the switch does not authenticate the user within 150 seconds.
Requirements analysis
To make the switch authenticate each user separately, you must configure the switch to use MAC-based accounts to authenticate users.
To allow only Host A to access the network, you must add a local user and set both the username and password as Host A's MAC address.
Software version used
This configuration example was created and verified on S12500-CMW520-R1825P01.
Configuration restrictions and guidelines
When you configure local MAC authentication, follow these restrictions and guidelines:
· MAC authentication configuration takes effect on an interface only after you enable it globally and on the interface.
· Enable MAC authentication globally only after you have configured the MAC-authentication-related parameters. Otherwise, users might fail to pass local MAC authentication.
· When you create a local user account, make sure the account takes the same format as the one configured by the mac-authentication user-name-format command.
· By default, Ethernet, VLAN, and aggregate interfaces are shut down. You must use the undo shutdown command to bring them up. This example assumes that all these interfaces are already up.
Configuration procedures
# Assign an IP address to each interface as shown in Figure 1. (Details not shown.)
# Add a local user, set both the username and password as Host A's MAC address 00-00-00-00-00-01, and enable LAN access service for the user.
<Switch> system-view
[Switch] local-user 00-00-00-00-00-01
[Switch-luser-00-00-00-00-00-01] password simple 00-00-00-00-00-01
[Switch-luser-00-00-00-00-00-01] service-type lan-access
[Switch-luser-00-00-00-00-00-01] quit
# Create ISP domain system, and specify that the LAN users in the domain use local authentication.
[Switch] domain system
[Switch-isp-system] authentication lan-access local
[Switch-isp-system] quit
# Specify the ISP domain for MAC authentication.
[Switch] mac-authentication domain system
# Configure MAC authentication to use MAC-based accounts. The MAC address usernames and passwords are hyphenated.
[Switch] mac-authentication user-name-format mac-address with-hyphen
# Set the offline detect timer to 180 seconds and the quiet timer to 150 seconds.
[Switch] mac-authentication timer offline-detect 180
[Switch] mac-authentication timer quiet 150
# Enable MAC authentication globally and on interface GigabitEthernet 2/0/1.
[Switch] mac-authentication
[Switch] mac-authentication interface gigabitethernet 2/0/1
Verifying the configuration
# Display MAC authentication configuration on GigabitEthernet 2/0/1.
<Switch> display mac-authentication interface GigabitEthernet 2/0/1
MAC address authentication is enabled.
User name format is MAC address in lowercase,like xx-xx-xx-xx-xx-xx
Fixed username:mac
Fixed password:not configured
Offline detect period is 180s
Quiet period is 150s.
Server response timeout value is 100s
The max allowed user number is 4096 per slot
Current user number amounts to 1
Current domain is system
Silent Mac User info:
MAC ADDR From Port Port Index
0000-0000-0002 GigabitEthernet2/0/1 17825792
Gigabitethernet2/0/1 is link-up
MAC address authentication is enabled
Authenticate success: 1, failed: 1
Max number of on-line users is 256
Current online user number is 1
MAC ADDR Authenticate state AuthIndex
0000-0000-0001 MAC_AUTHENTICATOR_SUCCESS 29
The user (Host B, in this example) who fails MAC authentication cannot access the IP network. The device marks the user's MAC address as a silent MAC address, and it does not re-authenticate the user before the quiet timer expires.
Configuration files
#
version 5.20, Alpha 1131
#
sysname Switch
#
domain default enable system
#
mac-authentication
mac-authentication timer offline-detect 180
mac-authentication timer quiet 150
mac-authentication domain system
mac-authentication user-name-format mac-address with-hyphen
#
vlan 1
#
vlan 2
#
domain system
authentication lan-access local
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
local-user 00-00-00-00-00-01
password cipher $c$3$B5AqpVzewsjXns+Kci+FUXB+JfzPC+rNLydh/kqFKSWBe6E/
service-type lan-access
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.0.1 255.255.255.0
#
interface Vlan-interface2
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet2/0/1
mac-authentication
#
interface GigabitEthernet2/0/48
port access vlan 2
#
Example: Configuring RADIUS-based MAC authentication
Network requirements
As shown in Figure 2, the hosts are in a secure network and connected to GigabitEthernet 2/0/1 of the switch (the access device).
Configure the switch to use the RADIUS server to perform MAC authentication.
Configure the switch to detect whether a user has gone offline every 180 seconds.
Set the quiet timer to 150 seconds. If a user fails MAC authentication, the switch does not authenticate the user within 150 seconds.
Requirements analysis
To authenticate users in a secure network, you can configure the switch to use a fixed account for all users to perform MAC authentication.
To make users pass MAC authentication on the RADIUS server, you must create the fixed user account on the RADIUS server and set its password the same as the one on the switch.
To make the switch perform RADIUS-based MAC authentication, you must configure a RADIUS scheme and apply the RADIUS scheme to the ISP domain for MAC authentication.
Software version used
This configuration example was created and verified on S12500-CMW520-R1825P01.
Configuration restrictions and guidelines
When you configure RADIUS-based MAC authentication, follow these restrictions and guidelines:
· MAC authentication configuration takes effect on an interface only after you enable it globally and on the interface.
· Enable MAC authentication globally only after you have configured the MAC-authentication-related parameters. Otherwise, users might fail to pass MAC authentication.
· By default, Ethernet, VLAN, and aggregate interfaces are shut down. You must use the undo shutdown command to bring them up. This example assumes that all these interfaces are already up.
Configuration procedures
Configuring the RADIUS server
# Create user account user1 on the RADIUS server, and set the password to 123456. (Details not shown.)
# Assign an IP address to the RADIUS server as shown in Figure 2.
For more information about configuring the RADIUS server, see H3C S12500 Routing Switch Series Security Configuration Guide.
Configuring the switch
# Assign an IP address to each interface as shown in Figure 2. (Details not shown.)
# Create RADIUS scheme radius. Specify the RADIUS server at 192.168.1.2 as the primary server for authentication, authorization, and accounting. Set the shared keys of authentication and accounting to test.
<Switch> system-view
[Switch] radius scheme radius
[Switch-radius-radius] primary authentication 192.168.1.2 1812
[Switch-radius-radius] primary accounting 192.168.1.2 1813
[Switch-radius-radius] key authentication test
[Switch-radius-radius] key accounting test
[Switch-radius-radius] quit
# Create ISP domain system, and specify the domain to use the RADIUS scheme for authentication, authorization, and accounting of all LAN access users.
[Switch] domain system
[Switch-isp-system] authentication default radius-scheme radius
[Switch-isp-system] authorization default radius-scheme radius
[Switch-isp-system] accounting default radius-scheme radius
[Switch-isp-system] quit
# Set the offline detect timer to 180 seconds and the quiet timer to 150 seconds.
[Switch] mac-authentication timer offline-detect 180
[Switch] mac-authentication timer quiet 150
# Specify the ISP domain for MAC authentication.
[Switch] mac-authentication domain system
# Specify username user1 and password 123456 in plain text for the account shared by MAC authentication users.
[Switch] mac-authentication user-name-format fixed account user1 password simple 123456
# Enable MAC authentication globally and on interface GigabitEthernet 2/0/1.
[Switch] mac-authentication
[Switch] mac-authentication interface gigabitethernet 2/0/1
Verifying the configuration
# Display MAC authentication configuration on GigabitEthernet 2/0/1.
<Switch> display mac-authentication interface GigabitEthernet 2/0/1
MAC address authentication is enabled.
User name format is fixed account
Fixed username:user1
Fixed password:******
Offline detect period is 180s
Quiet period is 150s.
Server response timeout value is 100s
The max allowed user number is 4096 per slot
Current user number amounts to 1
Current domain is system
Silent Mac User info:
MAC ADDR From Port Port Index
Gigabitethernet2/0/1 is link-up
MAC address authentication is enabled
Authenticate success: 2, failed: 0
Current online user number is 2
MAC ADDR Authenticate state AuthIndex
0000-0000-0001 MAC_AUTHENTICATOR_SUCCESS 29
0000-0000-0002 MAC_AUTHENTICATOR_SUCCESS 12
The user who fails MAC authentication cannot access the IP network. The device marks the user's MAC address as a silent MAC address, and it does not re-authenticate the user before the quiet timer expires.
Configuration files
#
domain default enable system
#
mac-authentication
mac-authentication timer offline-detect 180
mac-authentication timer quiet 150
mac-authentication domain system
mac-authentication user-name-format fixed account user1 password cipher $c$3$q3
7lwI6B/6UMNW/yVGqa6/ukn/hKqneWcw==
#
vlan 1
#
vlan 2 to 3
#
radius scheme radius
primary authentication 192.168.1.2
primary accounting 192.168.1.2
key authentication cipher $c$3$3oFEnry630XO+RgRYPaZs+MB8ivPXXs=
key accounting cipher $c$3$2NXaog9PUyIfteq5wrKAJay6nyv4VDE=
user-name-format without-domain
#
domain system
authentication default radius-scheme radius
authorization default radius-scheme radius
accounting default radius-scheme radius
access-limit disable
state active
idle-cut disable
self-service-url disable
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#
user-group system
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.0.1 255.255.255.0
#
interface Vlan-interface2
ip address 192.168.1.1 255.255.255.0
#
interface Vlan-interface3
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet2/0/1
mac-authentication
#
interface GigabitEthernet2/0/25
port access vlan 2
#
interface GigabitEthernet2/0/48
port access vlan 3
#
Related documentation
· H3C S12500 Routing Switch Series Security Configuration Guide
· H3C S12500 Routing Switch Series Security Command Reference
