Contents

Configuring MAC authentication· 1

About MAC authentication· 1

User account policies· 1

Authentication methods· 2

VLAN assignment 2

VSI manipulation· 6

ACL assignment 8

Redirect URL assignment 9

Blackhole MAC attribute assignment 9

Periodic MAC reauthentication· 9

Restrictions and guidelines: MAC authentication configuration· 10

MAC authentication tasks at a glance· 11

Prerequisites for MAC authentication· 12

Enabling MAC authentication· 12

Specifying a MAC authentication method· 12

Specifying a MAC authentication domain· 13

Configuring the user account format 13

Configuring MAC authentication timers· 14

Configuring periodic MAC reauthentication· 14

Configuring a MAC authentication guest VLAN·· 15

Configuring a MAC authentication critical VLAN·· 16

Enabling the MAC authentication critical voice VLAN feature· 17

Configuring a MAC authentication guest VSI 18

Configuring a MAC authentication critical VSI 18

Configuring user aging for unauthenticated MAC authentication users· 19

Configuring MAC authentication offline detection· 20

Enabling online user synchronization for MAC authentication· 21

Setting the maximum number of concurrent MAC authentication users on a port 22

Enabling MAC authentication multi-VLAN mode on a port 22

Configuring MAC authentication delay· 23

Including user IP addresses in MAC authentication requests· 23

Enabling parallel processing of MAC authentication and 802.1X authentication· 24

Logging off MAC authentication users· 25

Enabling MAC authentication user logging· 26

Display and maintenance commands for MAC authentication· 26

MAC authentication configuration examples· 27

Example: Configuring local MAC authentication· 27

Example: Configuring RADIUS-based MAC authentication· 30

Example: Configuring ACL assignment for MAC authentication· 32

Example: Configuring MAC authentication authorization VSI assignment 35

 

Configuring MAC authentication

About MAC authentication

MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port. If the MAC address passes authentication, the user can access authorized network resources. If the authentication fails, the device marks the MAC address as a silent MAC address, drops the packet, and starts a quiet timer. The device drops all subsequent packets from the MAC address within the quiet time. The quiet mechanism avoids repeated authentication during a short time.

User account policies

MAC authentication supports the following user account policies:

·     One MAC-based user account for each user. As shown in Figure 1, the access device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication. You can also configure a password for all MAC authentication users. This policy is suitable for an insecure environment.

·     One shared user account for all users. You specify one username and password, which are not necessarily a MAC address, for all MAC authentication users on the access device. This policy is suitable for a secure environment. See Figure 2.

Figure 1 MAC-based user account policy

 

Figure 2 Shared user account policy

 

Authentication methods

You can perform MAC authentication on the access device (local authentication) or through a RADIUS server.

For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA."

RADIUS authentication

If MAC-based accounts are used, the access device sends the source MAC address of a packet as the username and password to the RADIUS server for authentication. If a password is configured for MAC-based accounts, the access device sends the configured password as the password to the RADIUS server.

If a shared account is used, the access device sends the shared account username and password to the RADIUS server for authentication.

The access device and the RADIUS server use Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) for communication.

Local authentication

If MAC-based accounts are used, the access device uses the source MAC address of a packet as the username and password to search the local account database for a match. If a password is configured for MAC-based accounts, the device uses the configured password to search the local account database for a match.

If a shared account is used, the access device uses the shared account username and password to search the local account database for a match.

VLAN assignment

Authorization VLAN

The authorization VLAN controls the access of a MAC authentication user to authorized network resources. The device supports authorization VLANs assigned locally or by a remote server.

 

IMPORTANT: Only remote servers can assign tagged authorization VLANs.

‌

Remote VLAN authorization

In remote VLAN authorization, you must configure the authorization VLAN for a user on the remote server. After the user authenticates to the server, the server assigns authorization VLAN information to the device. Then, the device assigns the user access port to the authorization VLAN as a tagged or untagged member.

The device supports assignment of the following authorization VLAN information by the remote server:

·     VLAN ID.

·     VLAN name, which must be the same as the VLAN description on the access device.

·     A string of VLAN IDs and VLAN names.

In the string, some VLANs are represented by their IDs, and some VLANs are represented by their names.

·     VLAN group name.

For more information about VLAN groups, see Layer 2—LAN Switching Configuration Guide.

·     VLAN ID with a suffix of t or u.

The t and u suffixes require the device to assign the access port to the VLAN as a tagged or untagged member, respectively. For example, 2u indicates assigning the port to VLAN 2 as an untagged member.

If a VLAN name or VLAN group name is assigned, the device converts the information into a VLAN ID before VLAN assignment.

 

IMPORTANT: For a VLAN represented by its VLAN name to be assigned successfully, you must make sure the VLAN has been created on the device. To assign VLAN IDs with suffixes, make sure the access port is a hybrid or trunk port.

‌

IMPORTANT: To ensure a successful assignment, the authorization VLANs assigned by the remote server cannot be any of the following types: ·     Dynamically learned VLANs. ·     Reserved VLANs. ·     Super VLANs. ·     Private VLANs.

‌

If the server assigns a group of VLANs, the access device selects a VLAN as described in Table 1.

Table 1 Authorization VLAN selection from a group of VLANs

VLAN information	Authorization VLAN selection
VLANs by IDs VLANs by names VLAN group name	The device selects an authorization VLAN from the VLAN group for a user according to the following rules: ·     On a hybrid port with MAC-based VLAN enabled: ¡     If the port does not have online users, the device selects the VLAN with the lowest ID. ¡     If the port has online users, the device selects the VLAN that has the fewest online users. If two VLANs have the same number of online 802.1X users, the device selects the VLAN with the lower ID. ·     On an access, trunk, or MAC-based VLAN disabled hybrid port: ¡     If the port does not have online users, the device selects the VLAN with the lowest ID. ¡     If the port has online users, the device examines the VLAN group for the VLAN of the online users. If the VLAN is found, the VLAN is assigned to the user as the authorization VLAN. If the VLAN is not found, VLAN authorization fails.
VLAN IDs with suffixes	1.     The device selects the leftmost VLAN ID without a suffix, or the leftmost VLAN ID suffixed by u as an untagged VLAN, whichever is more leftmost. 2.     The device assigns the untagged VLAN to the port as the PVID, and it assigns the remaining as tagged VLANs. If no untagged VLAN is assigned, the PVID of the port does not change. The port permits traffic from these tagged and untagged VLANs to pass through. For example, the authentication server sends the string 1u 2t 3 to the access device for a user. The device assigns VLAN 1 as an untagged VLAN and all remaining VLANs (including VLAN 3) as tagged VLANs. VLAN 1 becomes the PVID.

‌

Local VLAN authorization

To perform local VLAN authorization for a user, specify the VLAN ID in the authorization attribute list of the local user account for that user. For each local user, you can specify only one authorization VLAN ID. The port through which the user accesses the device is assigned to the VLAN as an untagged member.

 

IMPORTANT: Local VLAN authorization does not support assignment of tagged VLANs.

‌

For more information about local user configuration, see "Configuring AAA."

Authorization VLAN manipulation for a MAC authentication-enabled port

Table 2 describes the way the network access device handles authorization VLANs (except for the VLANs specified with suffixes) for MAC authenticated users on a port.

Table 2 VLAN manipulation

Port type	VLAN manipulation
·     Access port ·     Trunk port ·     Hybrid port with MAC-based VLAN disabled	·     The device assigns the port to the first authenticated user's authorization VLAN and sets the VLAN as the PVID if that authorization VLAN has the untagged attribute. ·     If the authorization VLAN has the tagged attribute, the device assigns the port to the authorization VLAN without changing its PVID.
Hybrid port with MAC-based VLAN enabled	The device maps the MAC address of each user to its own authorization VLAN regardless of whether the port is a tagged member. The PVID of the port does not change.

 

IMPORTANT: ·     For users attached to an access port, make sure the authorization VLAN assigned by the server has the untagged attribute. VLAN assignment will fail if the server issues a VLAN that has the tagged attribute. ·     When you assign VLANs to users attached to a trunk port or a MAC-based VLAN disabled hybrid port, make sure there is only one untagged VLAN. If a different untagged VLAN is assigned to a subsequent user, the user cannot pass authentication. ·     As a best practice to enhance network security, do not use the port hybrid vlan command to assign a hybrid port to an authorization VLAN as a tagged member.

 

Whether the authorization VLAN of an authenticated user takes effect on the MAC authentication-enabled port depends on the port link type and VLAN tagging mode.

·     If the port is an access or trunk port, the authorization VLAN always takes effect.

·     If the port is a hybrid port, the device compares the VLAN tagging mode assigned by the server with the VLAN tagging mode configured on the port for the authorization VLAN.

¡     If the VLAN tagging modes are the same one (tagged or untagged), the authorization VLAN takes effect.

¡     If the VLAN tagging modes are different, the configuration on the port takes effect instead of the assigned information.

Authorization VLAN assignment does not affect the VLAN configuration on the MAC authentication-enabled port. After the user is logged off, the original VLAN configuration on the port is restored.

For a MAC authenticated user to access the network on a hybrid port when no authorization VLANs are assigned to the user, perform either of the following tasks:

·     If the port receives tagged authentication packets from the user in a VLAN, use the port hybrid vlan command to configure the port as a tagged member in the VLAN.

·     If the port receives untagged authentication packets from the user in a VLAN, use the port hybrid vlan command to configure the port as an untagged member in the VLAN.

Guest VLAN

The MAC authentication guest VLAN on a port accommodates users that have failed MAC authentication for any reason other than server unreachable. For example, the VLAN accommodates users with invalid passwords entered.

You can deploy a limited set of network resources in the MAC authentication guest VLAN. For example, a software server for downloading software and system patches.

A hybrid port is always assigned to a MAC authentication guest VLAN as an untagged member. After the assignment, do not reconfigure the port as a tagged member in the VLAN.

The device reauthenticates users in the MAC authentication guest VLAN at a specific interval. Table 3 shows the way that the network access device handles guest VLANs for MAC authentication users.

Table 3 VLAN manipulation

Authentication status	VLAN manipulation
A user in the MAC authentication guest VLAN fails MAC authentication.	The user is still in the MAC authentication guest VLAN.
A user in the MAC authentication guest VLAN passes MAC authentication.	The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server. If no authorization VLAN is configured for the user on the authentication server, the device remaps the MAC address of the user to the PVID of the port.

 

Critical VLAN

The MAC authentication critical VLAN on a port accommodates users that have failed MAC authentication because no RADIUS authentication servers are reachable. Users in a MAC authentication critical VLAN can access only network resources in the critical VLAN.

The critical VLAN feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user is not assigned to the critical VLAN. For more information about the authentication methods, see "Configuring AAA."

Table 4 shows the way that the network access device handles critical VLANs for MAC authentication users.

Table 4 VLAN manipulation

Authentication status	VLAN manipulation
A user fails MAC authentication because all the RADIUS servers are unreachable.	The device maps the MAC address of the user to the MAC authentication critical VLAN. The user is still in the MAC authentication critical VLAN if the user fails MAC reauthentication because all the RADIUS servers are unreachable. If no MAC authentication critical VLAN is configured, the device maps the MAC address of the user to the PVID of the port.
A user in the MAC authentication guest VLAN fails authentication because all the RADIUS servers are unreachable.	The user remains in the MAC authentication guest VLAN.
A user in the MAC authentication critical VLAN fails MAC authentication for any reason other than server unreachable.	If a guest VLAN has been configured, the device maps the MAC address of the user to the guest VLAN. If no guest VLAN is configured, the device maps the MAC address of the user to the PVID of the port.
A user in the MAC authentication critical VLAN passes MAC authentication.	The device remaps the MAC address of the user to the authorization VLAN assigned by the authentication server. If no authorization VLAN is configured for the user on the authentication server, the device remaps the MAC address of the user to the PVID of the access port.

 

Critical voice VLAN

The MAC authentication critical voice VLAN on a port accommodates MAC authentication voice users that have failed authentication because none of the RADIUS servers in their ISP domain are reachable.

The critical voice VLAN feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication voice user fails local authentication after RADIUS authentication, the user is not assigned to the critical voice VLAN. For more information about the authentication methods, see "Configuring AAA."

Table 5 shows the way that the network access device handles critical voice VLANs for MAC authentication voice users.

Table 5 VLAN manipulation

Authentication status	VLAN manipulation
A voice user fails MAC authentication because all the RADIUS servers are unreachable.	The device maps the MAC address of the voice user to the MAC authentication critical voice VLAN. The voice user is still in the MAC authentication critical voice VLAN if the voice user fails MAC reauthentication because all the RADIUS servers are unreachable. If no MAC authentication critical voice VLAN is configured, the device maps the MAC address of the voice user to the PVID of the port.
A voice user in the MAC authentication critical voice VLAN fails MAC authentication for any reason other than server unreachable.	If a guest VLAN has been configured, the device maps the MAC address of the voice user to the guest VLAN. If no guest VLAN is configured, the device maps the MAC address of the voice user to the PVID of the port.
A voice user in the MAC authentication critical voice VLAN passes MAC authentication.	The device remaps the MAC address of the voice user to the authorization VLAN assigned by the authentication server. If no authorization VLAN is configured for the voice user on the authentication server, the device remaps the MAC address of the voice user to the PVID of the access port.

 

VSI manipulation

MAC authentication support for VXLANs

As shown in Figure 3, when the device acts as both a VXLAN VTEP and a NAS, users' service information cannot be identified by VLANs. To resolve this issue, you must configure the RADIUS server to assign VSIs to MAC authenticated users. The NAS will map a user's traffic to the VXLAN that is associated with the user's authorization VSI. The mapping criteria include the user's access VLAN, access port, and MAC address.

For information about VSIs and VXLANs, see VXLAN Configuration Guide.

Figure 3 VXLAN network diagram for MAC authentication

 

Authorization VSI

An authorization VSI is associated with a VXLAN that has network resources inaccessible to unauthenticated users.

MAC authentication supports remote VSI authorization. If the VTEP does not receive authorization VSI information for a MAC authentication user from the remote server, the user cannot access resources in any VXLAN after passing authentication. If the VTEP receives authorization VSI information for the user from the remote server, it performs the following operations:

·     Dynamically creates an Ethernet service instance according to the user's access port, VLAN, and MAC address.

·     Maps the Ethernet service instance to the authorization VSI.

The user then can access resources in the VXLAN associated with the authorization VSI.

For information about dynamic creation of Ethernet service instances, see VXLAN configuration Guide.

Guest VSI

The MAC authentication guest VSI on a port accommodates users that have failed MAC authentication for any reason other than server unreachable. For example, the VSI accommodates users with invalid passwords entered.

You can deploy a limited set of network resources in the VXLAN that is associated with the MAC authentication guest VSI. For example, a software server for downloading software and system patches.

Table 6 shows the way that the VTEP handles guest VSIs for MAC authentication users.

Table 6 VSI manipulation

Authentication status	VSI manipulation
A user fails MAC authentication for any reason other than server unreachable.	The VTEP maps the user's MAC address and access VLAN to the MAC authentication guest VSI.
A user in the MAC authentication guest VSI fails MAC authentication for any reason other than server unreachable.	The user is still in the MAC authentication guest VSI.
A user in the MAC authentication guest VSI passes MAC authentication.	The VTEP remaps the user's MAC address and access VLAN to the authorization VSI assigned by the authentication server.

 

Critical VSI

The MAC authentication critical VSI on a port accommodates users that have failed MAC authentication because no RADIUS authentication servers are reachable. Users in a MAC authentication critical VSI can access only network resources in the VXLAN associated with this VSI.

The critical VSI feature takes effect when MAC authentication is performed only through RADIUS servers. If a MAC authentication user fails local authentication after RADIUS authentication, the user is not assigned to the critical VSI. For more information about the authentication methods, see "Configuring AAA."

Table 7 shows the way that the VTEP handles critical VSIs for MAC authentication users.

Table 7 VSI manipulation

Authentication status	VSI manipulation
A user fails MAC authentication because all the RADIUS servers are unreachable.	The VTEP maps the user's MAC address and access VLAN to the MAC authentication critical VSI. The user is still in the MAC authentication critical VSI if the user fails MAC reauthentication because all the RADIUS servers are unreachable. If no MAC authentication critical VSI is configured, the device logs off the user.
A user in the MAC authentication critical VSI fails MAC authentication for any reason other than server unreachable.	If a guest VSI has been configured, the VTEP maps the user's MAC address and access VLAN to the guest VSI. If no guest VSI is configured, the VTEP logs off the user.
A user in the MAC authentication guest VSI fails authentication because all the RADIUS servers are unreachable.	The user remains in the MAC authentication guest VSI.
A user in the MAC authentication critical VSI passes MAC authentication.	The VTEP remaps the user's MAC address and access VLAN to the authorization VSI assigned by the authentication server.

 

ACL assignment

You can specify an authorization ACL in the user account for a MAC authentication user on the authentication server to control the user's access to network resources. After the user passes MAC authentication, the authentication server (local or remote) assigns the authorization ACL to the access port of the user. The ACL will filter traffic for this user by permitting or denying matching traffic. You must configure ACL rules for the authorization ACL on the access device for the ACL assignment feature.

To change the access control criteria for the user, you can use one of the following methods:

·     Modify ACL rules on the access device.

·     Specify another authorization ACL on the authentication server.

The supported authorization ACLs include the following types:

·     Basic ACLs, which are numbered in the range of 2000 to 2999.

·     Advanced ACLs, which are numbered in the range of 3000 to 3999.

·     Layer 2 ACLs, which are numbered in the range of 4000 to 4999.

For an authorization ACL to take effect, the following requirements must be met:

·     The ACL exists with rules.

·     The rules contain only match criteria that are specified by using the dscp, source, destination, type, source-port, and destination-port keywords.

·     If the source-port or destination-port criterion exists, make sure only one source port or one destination port is specified.

For more information about ACLs, see ACL and QoS Configuration Guide.

Redirect URL assignment

The device supports the URL attribute assigned by a RADIUS server. During MAC authentication, the HTTP requests of a user are redirected to the Web interface specified by the server-assigned URL attribute. After the user passes the Web authentication, the RADIUS server records the MAC address of the user and uses a DM (Disconnect Message) to log off the user. When the user initiates MAC authentication again, it will pass the authentication and come online successfully.

Blackhole MAC attribute assignment

The device supports the blackhole MAC attribute assigned by the RADIUS authentication server through CoA messages for users that have passed MAC authentication. Upon receiving a CoA message that contains the blackhole MAC attribute for a user that has passed MAC authentication, the device performs the following operations:

1.     Logs off the user.

2.     Marks the MAC address of the user as a silent MAC address and starts a quiet timer for the MAC address.

The quiet timer is 10 minutes and is not user configurable. The device drops all packets from the MAC address after the quiet timer starts, and it will not authenticate the MAC address until the quiet timer expires.

To display silent MAC addresses, use the display mac-authentication command.

Periodic MAC reauthentication

Periodic MAC reauthentication tracks the connection status of online users, and updates the authorization attributes assigned by the RADIUS server. The attributes include the ACL and VLAN.

The device reauthenticates online MAC authentication users at the periodic reauthentication interval when the periodic MAC reauthentication feature is enabled. The interval is controlled by a timer and the timer is user configurable. A change to the periodic reauthentication timer applies to online MAC authentication users only after the old timer expires and the MAC authentication users pass authentication.

The server-assigned RADIUS Session-Timeout (attribute 27) and Termination-Action (attribute 29) attributes together can affect the periodic MAC reauthentication feature. To display the server-assigned Session-Timeout and Termination-Action attributes, use the display mac-authentication connection command.

·     If the termination action is to log off users, periodic MAC reauthentication takes effect only when the periodic reauthentication timer is shorter than the session timeout timer. If the session timeout timer is shorter, the device logs off online authenticated users when the session timeout timer expires.

·     If the termination action is to reauthenticate users, the periodic MAC reauthentication configuration on the device cannot take effect. The device reauthenticates online MAC authentication users after the server-assigned session timeout timer expires.

If no session timeout timer is assigned by the server, whether the device performs periodic MAC reauthentication depends on the periodic MAC reauthentication configuration on the device. Support for the assignment of Session-Timeout and Termination-Action attributes depends on the server model.

With the RADIUS DAS feature enabled, the device immediately reauthenticates a user upon receiving a CoA message that carries the reauthentication attribute from a RADIUS authentication server. In this case, reauthentication will be performed regardless of whether periodic MAC reauthentication is enabled on the device. For more information about RADIUS DAS configuration, see "Configuring AAA."

By default, the device logs off online MAC authentication users if no server is reachable for MAC reauthentication. The keep-online feature keeps authenticated MAC authentication users online when no server is reachable for MAC reauthentication.

The VLANs assigned to an online user before and after reauthentication can be the same or different.

Restrictions and guidelines: MAC authentication configuration

When you configure MAC authentication VLANs or VSIs, follow these restrictions and guidelines:

·     If the authentication server assigns both an authorization VSI and authorization VLAN to a user, the device uses only the authorization VLAN.

·     On a port, the guest VLAN and critical VLAN settings are mutually exclusive with the guest VSI and critical VSI settings.

·     To ensure a successful authentication, you must configure the authentication server to assign authorization VLANs or VSIs to the MAC authentication users attached to a port in the following situations:

¡     If the MAC authentication-enabled port is configured with the guest VLAN or critical VLAN, configure the authentication server to assign authorization VLANs to MAC authentication users.

¡     If the MAC authentication-enabled port is configured with the guest VSI or critical VSI, configure the authentication server to assign authorization VSIs to MAC authentication users.

¡     If both 802.1X and MAC authentication are configured on the port, be careful with the VSI settings of the two authentication features.

-     You must configure VSI authorization for the MAC authentication users if the port has an Auth-Fail, guest, or critical VSI for 802.1X authentication.

-     Likewise, you must configure VSI authorization for the 802.1X users if the port has a guest or critical VSI for MAC authentication.

·     Do not change the link type of a port when the MAC authentication guest VLAN or critical VLAN on the port has users.

When you configure MAC authentication on an interface, follow these restrictions and guidelines:

·     MAC authentication is supported only on Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces.

·     When you add a Layer 2 Ethernet interface to an aggregation group, its existing MAC authentication settings are automatically removed. After a Layer 2 Ethernet interface is added to an aggregation group, you cannot configure MAC authentication on it.

·     Do not delete a Layer 2 aggregate interface if the interface has online MAC authentication users.

MAC authentication is mutually exclusive with service loopback groups.

·     You cannot enable MAC authentication on a port already in a service loopback group.

·     You cannot add a MAC authentication-enabled port to a service loopback group.

If the MAC address that has failed authentication is a static MAC address or a MAC address that has passed any security authentication, the device does not mark the MAC address as a silent address.

MAC authentication tasks at a glance

To configure MAC authentication, perform the following tasks:

1.     Enabling MAC authentication

2.     Configure basic MAC authentication features

¡     Specifying a MAC authentication method

¡     Specifying a MAC authentication domain

¡     Configuring the user account format

¡     (Optional.) Configuring MAC authentication timers

¡     (Optional.) Configuring periodic MAC reauthentication

3.     (Optional.) Configuring MAC authentication VLAN assignment

¡     Configuring a MAC authentication guest VLAN

¡     Configuring a MAC authentication critical VLAN

¡     Enabling the MAC authentication critical voice VLAN feature

4.     (Optional.) Configuring MAC authentication VSI assignment

¡     Configuring a MAC authentication guest VSI

¡     Configuring a MAC authentication critical VSI

5.     (Optional.) Configuring other MAC authentication features

¡     Configuring user aging for unauthenticated MAC authentication users

¡     Configuring MAC authentication offline detection

¡     Enabling online user synchronization for MAC authentication

¡     Setting the maximum number of concurrent MAC authentication users on a port

¡     Enabling MAC authentication multi-VLAN mode on a port

Perform this task to not reauthenticate online users when VLAN changes occur on a port.

¡     Configuring MAC authentication delay

¡     Including user IP addresses in MAC authentication requests

¡     Enabling parallel processing of MAC authentication and 802.1X authentication

¡     Logging off MAC authentication users

¡     Enabling MAC authentication user logging

Prerequisites for MAC authentication

Before you configure MAC authentication, complete the following tasks:

1.     Make sure the port security feature is disabled. For more information about port security, see "Configuring port security."

2.     Configure an ISP domain and specify an AAA method. For more information, see "Configuring AAA."

¡     For local authentication, you must also create local user accounts (including usernames and passwords) and specify the lan-access service for local users.

¡     For RADIUS authentication, make sure the device and the RADIUS server can reach each other and create user accounts on the RADIUS server. If you are using MAC-based accounts, make sure the username and password for each account are the same as the MAC address of each MAC authentication user.

Enabling MAC authentication

Restrictions and guidelines

For MAC authentication to take effect on a port, you must enable this feature globally and on the port.

The following MAC authentication enabling operations cannnot take effect if you perform them when the device has run out of ACL resources:

·     Enable MAC authentication on a Layer 2 Ethernet interface or Layer 2 aggregate interface.

·     Enable MAC authentication globally.

Procedure

1.     Enter system view.

system-view

2.     Enable MAC authentication globally.

mac-authentication

By default, MAC authentication is disabled globally.

3.     Enter interface view.

interface interface-type interface-number

4.     Enable MAC authentication on the port.

mac-authentication

By default, MAC authentication is disabled on a port.

Specifying a MAC authentication method

About MAC authentication methods

RADIUS-based MAC authentication supports the following authentication methods:

·     PAP—Transports usernames and passwords in plain text. The authentication method applies to scenarios that do not require high security.

·     CHAP—Transports usernames in plain text and passwords in encrypted form over the network. CHAP is more secure than PAP.

Restrictions and guidelines

The device must use the same authentication method as the RADIUS server.

Procedure

1.     Enter system view.

system-view

2.     Specify an authentication method for MAC authentication.

mac-authentication authentication-method { chap | pap }

By default, the device uses PAP for MAC authentication.

Specifying a MAC authentication domain

About authentication domains for MAC authentication

By default, MAC authentication users are in the system default authentication domain. To implement different access policies for users, you can use one of the following methods to specify authentication domains for MAC authentication users:

·     Specify a global authentication domain in system view. This domain setting applies to all ports enabled with MAC authentication.

·     Specify an authentication domain for an individual port in interface view.

MAC authentication chooses an authentication domain for users on a port in this order: the port-specific domain, the global domain, and the default domain. For more information about authentication domains, see "Configuring AAA."

Procedure

1.     Enter system view.

system-view

2.     Specify an authentication domain for MAC authentication users.

¡     In system view:

mac-authentication domain domain-name

¡     In interface view:

interface interface-type interface-number

mac-authentication domain domain-name

By default, the system default authentication domain is used for MAC authentication users.

Configuring the user account format

1.     Enter system view.

system-view

2.     Configure the MAC authentication user account format.

¡     Use one MAC-based user account for each user.

mac-authentication user-name-format mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] [ password { cipher | simple } string ]

¡     Use one shared user account for all users.

mac-authentication user-name-format fixed [ account name ] [ password { cipher | simple } string ]

By default, the device uses the MAC address of a user as the username and password for MAC authentication. The MAC address is in the hexadecimal notation without hyphens, and letters are in lower case.

Configuring MAC authentication timers

About MAC authentication timers

MAC authentication uses the following timers:

·     Offline detect timer—Sets the interval that the device must wait for traffic from a user before the device determines that the user is idle. If the device has not received traffic from a user before the timer expires, the device logs off that user and requests the accounting server to stop accounting for the user. This timer takes effect only when the MAC authentication offline detection feature is enabled.

·     Quiet timer—Sets the interval that the device must wait before the device can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authentication from affecting system performance.

·     Server timeout timer—Sets the interval that the device waits for a response from a RADIUS server before the device determines that the RADIUS server is unavailable. If the timer expires during MAC authentication, the user fails MAC authentication.

Restrictions and guidelines

To avoid forced logoff before the server timeout timer expires, set the server timeout timer to a value that is lower than or equal to the product of the following values:

·     The maximum number of RADIUS packet transmission attempts set by using the retry command in RADIUS scheme view.

·     The RADIUS server response timeout timer set by using the timer response-timeout command in RADIUS scheme view.

For information about setting the maximum number of RADIUS packet transmission attempts and the RADIUS server response timeout timer, see "Configuring AAA."

Procedure

1.     Enter system view.

system-view

2.     Configure MAC authentication timers.

mac-authentication timer { offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value }

By default, the offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100 seconds.

Configuring periodic MAC reauthentication

Restrictions and guidelines

The device selects a periodic reauthentication timer for MAC reauthentication in the following order:

1.     Server-assigned reauthentication timer.

2.     Port-specific reauthentication timer.

3.     Global reauthentication timer.

4.     Default reauthentication timer.

Modification to the MAC authentication domain, MAC authentication method, or user account format setting does not affect the reauthentication of online MAC authentication users. The modified setting takes effect only on MAC authentication users that come online after the modification.

If periodic reauthentication is triggered for a user while that user is waiting for online synchronization, the system performs online synchronization and does not perform reauthentication for the user.

Procedure

1.     Enter system view.

system-view

2.     Set the periodic MAC reauthentication timer.

¡     Set a global periodic reauthentication timer.

mac-authentication timer reauth-period reauth-period-value

The default setting is 3600 seconds.

¡     Execute the following commands in sequence to set a port-specific periodic reauthentication timer:

interface interface-type interface-number

mac-authentication timer reauth-period reauth-period-value

quit

By default, no periodic MAC reauthentication timer is set on a port. The port uses the global periodic MAC reauthentication timer.

3.     Enter interface view.

interface interface-type interface-number

4.     Enable periodic MAC reauthentication.

mac-authentication re-authenticate

By default, periodic MAC reauthentication is disabled on a port.

5.     (Optional.) Enable the keep-online feature for MAC authenticated users on the port.

mac-authentication re-authenticate server-unreachable keep-online

By default, the keep-online feature is disabled. The device logs off online MAC authentication users if no server is reachable for MAC reauthentication.

In a fast-recovery network, you can use the keep-online feature to prevent MAC authentication users from coming online and going offline frequently.

Configuring a MAC authentication guest VLAN

Restrictions and guidelines

When you configure the MAC authentication guest VLAN on a port, follow the guidelines in Table 8.

Table 8 Relationships of the MAC authentication guest VLAN with other security features

Feature	Relationship description	Reference
Quiet feature of MAC authentication	The MAC authentication guest VLAN feature has higher priority. When a user fails MAC authentication, the user can access the resources in the guest VLAN. The user's MAC address is not marked as a silent MAC address.	See "Configuring MAC authentication timers."
Super VLAN	You cannot specify a VLAN as both a super VLAN and a MAC authentication guest VLAN.	See Layer 2—LAN Switching Configuration Guide.
Port intrusion protection	The guest VLAN feature has higher priority than the block MAC action but lower priority than the shutdown port action of the port intrusion protection feature.	See "Configuring port security."

 

Prerequisites

Before you configure the MAC authentication guest VLAN on a port, complete the following tasks:

·     Create the VLAN to be specified as the MAC authentication guest VLAN.

·     Configure the port as a hybrid port, and configure the VLAN as an untagged member on the port.

·     Enable MAC-based VLAN on the port.

For information about VLAN configuration, see Layer 2—LAN Switching Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Specify the MAC authentication guest VLAN on the port.

mac-authentication guest-vlan guest-vlan-id

By default, no MAC authentication guest VLAN is specified on a port.

You can configure only one MAC authentication guest VLAN on a port. The MAC authentication guest VLANs on different ports can be different.

4.     Set the authentication interval for users in the MAC authentication guest VLAN.

mac-authentication guest-vlan auth-period period-value

The default setting is 30 seconds.

Configuring a MAC authentication critical VLAN

Restrictions and guidelines

When you configure the MAC authentication critical VLAN on a port, follow the guidelines in Table 9.

Table 9 Relationships of the MAC authentication critical VLAN with other security features

Feature	Relationship description	Reference
Quiet feature of MAC authentication	The MAC authentication critical VLAN feature has higher priority. When a user fails MAC authentication because no RADIUS authentication server is reachable, the user can access the resources in the critical VLAN. The user's MAC address is not marked as a silent MAC address.	See "Configuring MAC authentication timers."
Super VLAN	You cannot specify a VLAN as both a super VLAN and a MAC authentication critical VLAN.	See Layer 2—LAN Switching Configuration Guide.
Port intrusion protection	The critical VLAN feature has higher priority than the block MAC action but lower priority than the shutdown port action of the port intrusion protection feature.	See "Configuring port security."

 

Prerequisites

Before you configure the MAC authentication critical VLAN on a port, complete the following tasks:

·     Create the VLAN to be specified as the MAC authentication critical VLAN.

·     Configure the port as a hybrid port, and configure the VLAN as an untagged member on the port.

·     Enable MAC-based VLAN on the port.

For information about VLAN configuration, see Layer 2—LAN Switching Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Specify the MAC authentication critical VLAN on the port.

mac-authentication critical vlan critical-vlan-id

By default, no MAC authentication critical VLAN is specified on a port.

You can configure only one MAC authentication critical VLAN on a port. The MAC authentication critical VLANs on different ports can be different.

Enabling the MAC authentication critical voice VLAN feature

Prerequisites

Before you enable the MAC authentication critical voice VLAN feature on a port, complete the following tasks:

·     Enable LLDP both globally and on the port.

The device uses LLDP to identify voice users. For information about LLDP, see Layer 2—LAN Switching Configuration Guide.

·     Enable voice VLAN on the port.

For information about voice VLANs, see Layer 2—LAN Switching Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable the MAC authentication critical voice VLAN feature on a port.

mac-authentication critical-voice-vlan

By default, the MAC authentication critical voice VLAN feature is disabled on a port.

Configuring a MAC authentication guest VSI

Restrictions and guidelines

The MAC authentication guest VSI feature has higher priority than the quiet feature of MAC authentication. When a user fails MAC authentication, the user can access the resources in the guest VSI. The user's MAC address is not marked as a silent MAC address.

You can configure only one MAC authentication guest VSI on a port. The MAC authentication guest VSIs on different ports can be different.

Prerequisites

Before you configure the MAC authentication guest VSI on a port, complete the following tasks:

·     Enable L2VPN.

·     Create the VSI to be specified as the MAC authentication guest VSI, and create a VXLAN for the VSI.

·     Enable MAC-based traffic match mode for dynamic Ethernet service instances on the port.

For more information, see VXLAN Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Specify the MAC authentication guest VSI on the port.

mac-authentication guest-vsi guest-vsi-name

By default, no MAC authentication guest VSI exists on a port.

4.     (Optional.) Set the authentication interval for users in the MAC authentication guest VSI.

mac-authentication guest-vsi auth-period period-value

The default setting is 30 seconds.

Configuring a MAC authentication critical VSI

Restrictions and guidelines

The MAC authentication critical VSI feature has higher priority than the quiet feature of MAC authentication. When a user fails MAC authentication, the user can access the resources in the critical VSI. The user's MAC address is not marked as a silent MAC address.

You can configure only one MAC authentication critical VSI on a port. The MAC authentication critical VSIs on different ports can be different.

Prerequisites

Before you configure the MAC authentication critical VSI on a port, complete the following tasks:

·     Enable L2VPN.

·     Create the VSI to be specified as the MAC authentication critical VSI, and create a VXLAN for the VSI.

·     Enable MAC-based traffic match mode for dynamic Ethernet service instances on the port.

For more information, see VXLAN Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Specify the MAC authentication critical VSI on the port.

mac-authentication critical vsi critical-vsi-name [ url-user-logoff ]

By default, no MAC authentication critical VSI exists on a port.

The url-user-logoff keyword enables the device to log off MAC authentication users that have been assigned authorization URLs on the port when the first user is assigned to the critical VSI.

Configuring user aging for unauthenticated MAC authentication users

About user aging for unauthenticated MAC authentication users

User aging for unauthenticated MAC authentication users applies to users added to a MAC authentication guest or critical VLAN or VSI because they have not been authenticated or have failed authentication.

When a user in one of those VLANs or VSIs ages out, the device removes the user from the VLAN or VSI and deletes the MAC address entry for the user from the access port.

For users in one of those VLANs or VSIs on one port to be authenticated successfully and come online on another port, enable this feature. In any other scenarios, disable this feature as a best practice.

Restrictions and guidelines

As a best practice, use this feature on a port only if you want to have its unauthenticated users to be authenticated and come online on a different port.

Procedure

1.     Enter system view.

system-view

2.     Set the user aging timer for a type of MAC authentication VLAN or VSI.

mac-authentication timer user-aging { critical-vlan | critical-vsi | guest-vlan | guest-vsi } aging-time-value

By default, the user aging timer is 1000 seconds for all applicable types of MAC authentication VLANs and VSIs.

3.     Enter interface view.

interface interface-type interface-number

4.     Enable user aging for unauthenticated MAC authentication users.

mac-authentication unauthenticated-user aging enable

By default, user aging is enabled for unauthenticated MAC authentication users.

Configuring MAC authentication offline detection

About MAC authentication offline detection

Enable MAC authentication offline detection to detect idle users on a port. If the port has not received traffic from a user when the offline detect timer expires, the device logs off that user and requests the accounting server to stop accounting for the users. For information about setting the offline detect timer in system view, see "Configuring MAC authentication timers."

Disabling this feature disables the device from inspecting the online user status.

In addition to port-based MAC authentication offline detection, you can configure offline detection parameters on a per-user basis, as follows:

·     Set an offline detect timer specific to a user and control whether to use the ARP snooping or ND snooping table to determine the offline state of the user.

¡     If the ARP snooping or ND snooping table is used, the device searches the ARP snooping or ND snooping table before it checks for traffic from the user within the detection interval. If a matching ARP snooping or ND snooping entry is found, the device resets the offline detect timer and the user stays online. If the offline detect timer expires because the device has not found a matching snooping entry for the user or received traffic from the user, the device disconnects the user.

¡     If the ARP or ND snooping table is not used, the device disconnects the user if it has not received traffic from that user before the offline detect timer expires.

When disconnecting the user, the device also notifies the RADIUS server (if any) to stop user accounting.

·     Skip offline detection for the user. You can choose this option if the user is a dumb terminal. A dumb terminal might fail to come online again after it is logged off by the offline detection feature.

The device uses the offline detection settings for a user in the following sequence:

1.     User-specific offline detection settings.

2.     Offline detection settings assigned to the user by the RADIUS server. The settings include the offline detect timer, use of the ARP or ND snooping table in offline detection, and whether to ignore offline detection.

3.     Port-based offline detection settings.

Restrictions and guidelines

For the user-specific offline detection feature to take effect on a user, make sure the MAC authentication offline detection feature is enabled on the user's access port.

The user-specific offline detection settings take effect on the online users immediately after they are configured.

If you enable MAC authentication offline detection on a Layer 2 aggregate interface, delay exists for the device to log off an idle user.

Procedure

1.     Enter system view.

system-view

2.     (Optional.) Configure MAC authentication offline detection for a user.

mac-authentication offline-detect mac-address mac-address { ignore | timer offline-detect-value [ check-arp-or-nd-snooping ] }

By default, offline detection settings configured on access ports take effect and the offline detect timer set in system view is used.

3.     Enter interface view.

interface interface-type interface-number

4.     Enable MAC authentication offline detection.

mac-authentication offline-detect enable

By default, MAC authentication offline detection is enabled on a port.

Enabling online user synchronization for MAC authentication

About online user synchronization for MAC authentication

IMPORTANT: This feature takes effect only when the device uses an IMC RADIUS server to authenticate MAC authentication users.

‌

To ensure that the RADIUS server maintains the same online MAC authentication user information as the device after the server state changes from unreachable to reachable, use this feature.

This feature synchronizes online MAC authentication user information between the device and the RADIUS server when the RADIUS server state is detected having changed from unreachable to reachable.

When synchronizing online MAC authentication user information on a port with the RADIUS server, the device initiates MAC authentication in turn for each authenticated online MAC authentication user to the RADIUS server.

If synchronization fails for an online user, the device logs off that user unless the failure occurs because the server has become unreachable again.

Restrictions and guidelines

The amount of time required to complete online user synchronization increases as the number of online users grows. This might result in an increased delay for new MAC authentication users and users in the critical VLAN or VSI to authenticate or reauthenticate to the RADIUS server and come online.

To have this feature take effect, you must use it in conjunction with the RADIUS server status detection feature, which is configurable with the radius-server test-profile command. When you configure this feature, make sure the detection interval is shorter than the RADIUS server quiet timer configured by using the timer quiet command in RADIUS scheme view. The server state changes to active on expiration of the quiet timer regardless of its actual reachability. Setting a shorter detection interval than the quiet timer prevents the RADIUS server status detection feature from falsely reporting the server reachability.

For more information about the RADIUS server status detection feature, see "Configuring AAA."

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable online user synchronization for MAC authentication.

mac-authentication server-recovery online-user-sync

By default, online user synchronization for MAC authentication is disabled.

Setting the maximum number of concurrent MAC authentication users on a port

About limiting the number of concurrent MAC authentication users on a port

Perform this task to prevent the system resources from being overused.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Set the maximum number of concurrent MAC authentication users on the port.

mac-authentication max-user max-number

The default setting is 4294967295.

Enabling MAC authentication multi-VLAN mode on a port

About VLAN modes of MAC authentication

MAC authentication on a port can operate in the following VLAN modes:

·     Single-VLAN mode—MAC authentication does not allow online users to move between VLANs without reauthentication on the port.

·     Multi-VLAN mode—MAC authentication allows online users to move between VLANs on the port without being logged out for reauthentication.

Multi-VLAN mode is useful for applications that are sensitive to delay or interruption, which occurs when reauthentication is performed. For example, you can use this feature on a hybrid port if it performs MAC authentication for IP phones.

In multi-VLAN mode, the device creates a new MAC-VLAN mapping for an online user when that user moves from one VLAN to another. The original MAC-VLAN mapping of the user remains on the device until it dynamically ages out.

In single-VLAN mode, the device handles the movement depending on authorization VLAN assignment:

·     If no authorization VLAN has been assigned to the online user, the device first logs off and then reauthenticates the user in the new VLAN.

·     If the online user has been assigned an authorization VLAN, the device handles the user depending on the status of the port security MAC move feature.

¡     If port security MAC move is disabled, the user cannot pass authentication and come online from the new VLAN until after it goes offline from the original VLAN.

¡     If port security MAC move is enabled, the user can pass authentication on the new VLAN and come online without having to first go offline from the original VLAN. After the user passes authentication on the new VLAN, the authentication session of that user is deleted from the original VLAN.

To enable the port security MAC move feature, use the port-security mac-move permit command.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable MAC authentication multi-VLAN mode.

mac-authentication host-mode multi-vlan

By default, MAC authentication operates in single-VLAN mode on a port.

Configuring MAC authentication delay

About MAC authentication delay

When both 802.1X authentication and MAC authentication are enabled on a port, you can delay MAC authentication so that 802.1X authentication is preferentially triggered.

If no 802.1X authentication is triggered or 802.1X authentication fails within the delay period, the port continues to process MAC authentication.

Restrictions and guidelines

Do not set the port security mode to mac-else-userlogin-secure or mac-else-userlogin-secure-ext when you use MAC authentication delay. The delay does not take effect on a port in either of the two modes. For more information about port security modes, see "Configuring port security."

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable MAC authentication delay and set the delay timer.

mac-authentication timer auth-delay time

By default, MAC authentication delay is disabled.

Including user IP addresses in MAC authentication requests

About the feature of including user IP addresses in MAC authentication requests

IMPORTANT: This feature can only operate in conjunction with an IMC server.

‌

To avoid IP conflicts that result from changes to static IP addresses, use this feature on a port that has MAC authentication users that use static IP addresses.

This feature adds user IP addresses to the MAC authentication requests sent to the authentication server. When MAC authentication is triggered for a user, the device checks the user's IP address for invalidity.

·     If the IP address is valid, the device sends a MAC authentication request with the IP address included.

·     If the IP address is not a valid host IP address or the triggering packet does not contain an IP address, the device does not initiate MAC authentication.

·     If the packet is a DHCP packet with a source IP address of 0.0.0.0, the device sends a MAC authentication request without including the IP address. In this case, the IMC server does not examine the user IP address when it performs authentication.

Upon receipt of the authentication request that includes a user's IP address, the IMC server compares the user's IP and MAC addresses with its local IP-MAC mappings.

·     If an exact match is found or if no match is found, the user passes MAC authentication. In the latter case, the server creates an IP-MAC mapping for the user.

·     If a mapping is found for the MAC address but the IP addresses do not match, the user fails the MAC authentication.

 

IMPORTANT: If the user host is configured with IPv6, the device might receive packets that contain an IPv6 link-local address, which starts with fe80. MAC authentication failure will occur if this address is used in MAC authentication. To avoid MAC authentication failure, configure a basic ACL to exclude the IPv6 IP addresses that start with fe80.

‌

Restrictions and guidelines

Do not use this feature in conjunction with the MAC authentication guest VLAN or guest VSI on a port. The device cannot perform MAC authentication for a user once that user is added to the MAC authentication guest VLAN or guest VSI.

When you configure the ACL, follow these guidelines:

·     Use permit rules to identify source IP addresses that are valid for MAC authentication. Use deny rules to identify source IP addresses that cannot trigger MAC authentication.

·     In the rules, only the action keyword (permit or deny) and the source IP match criterion can take effect.

·     As a best practice, configure a deny rule to exclude the IPv6 IP addresses that start with fe80 from triggering MAC authentication.

·     If you configure permit rules, add a deny all rule at the bottom of the ACL.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Include user IP addresses in MAC authentication requests.

mac-authentication carry user-ip [ exclude-ip acl acl-number ]

By default, a MAC authentication request does not include the user IP address.

Enabling parallel processing of MAC authentication and 802.1X authentication

About parallel processing of MAC authentication and 802.1X authentication

This feature enables a port that processes MAC authentication after 802.1X authentication is finished to process MAC authentication in parallel with 802.1X authentication.

Make sure the port meets the following requirements:

·     The port is configured with both 802.1X authentication and MAC authentication and performs MAC-based access control for 802.1X authentication.

·     The port is enabled with the 802.1X unicast trigger.

When the port receives a packet from an unknown MAC address, it sends a unicast EAP-Request/Identity packet to the MAC address. After that, the port immediately processes MAC authentication without waiting for the 802.1X authentication result.

After MAC authentication succeeds, the port is assigned to the MAC authentication authorization VLAN or VSI.

·     If 802.1X authentication fails, the MAC authentication result takes effect.

·     If 802.1X authentication succeeds, the device handles the port and the MAC address based on the 802.1X authentication result.

The process sequence of 802.1X authentication and MAC authentication is configurable in other ways. For the port to perform MAC authentication before it is assigned to the 802.1X guest VLAN or guest VSI, enable new MAC-triggered 802.1X guest VLAN or VSI assignment delay. For information about new MAC-triggered 802.1X guest VLAN or VSI assignment delay, see "Configuring 802.1X."

Restrictions and guidelines

To configure both 802.1X authentication and MAC authentication on the port, use one of the following methods:

·     Enable the 802.1X and MAC authentication features separately on the port.

·     Enable port security on the port. The port security mode must be userlogin-secure-or-mac or userlogin-secure-or-mac-ext.

For information about port security mode configuration, see "Configuring port security."

For the parallel processing feature to work correctly, do not enable MAC authentication delay on the port. This operation will delay MAC authentication after 802.1X authentication is triggered.

Procedure

1.     Enter system view.

system-view

2.     Enter interface view.

interface interface-type interface-number

3.     Enable parallel processing of MAC authentication and 802.1X authentication on the port.

mac-authentication parallel-with-dot1x

By default, this feature is disabled.

Logging off MAC authentication users

About logging off MAC authentication users

Perform this task to log off specific MAC authentication users and clear information about these users from the device. These users must perform MAC authentication to come online again.

Procedure

To log off MAC authentication users, execute the following command in user view:

reset mac-authentication access-user [ interface interface-type interface-number | mac mac-address | username username | vlan vlan-id | vsi vsi-name ]

Enabling MAC authentication user logging

About MAC authentication user logging

This feature enables the device to generate logs about MAC authentication users and send the logs to the information center. For the logs to be output correctly, you must also configure the information center on the device. For more information about information center configuration, see Network Management and Monitoring Configuration Guide.

Restrictions and guidelines

As a best practice, disable this feature to prevent excessive output of logs about MAC authentication users.

Procedure

1.     Enter system view.

system-view

2.     Enable MAC authentication user logging.

mac-authentication access-user log enable [ failed-login | logoff | successful-login ] *

By default, all types of logging about MAC authentication users are disabled.

If you do not specify any parameters, this command enables all types of logging about MAC authentication users.

Display and maintenance commands for MAC authentication

Execute display commands in any view and reset commands in user view.

 

Task	Command
Display MAC authentication information.	display mac-authentication [ interface interface-type interface-number ]
Display MAC authentication connections.	In standalone mode: display mac-authentication connection [ open ] [ interface interface-type interface-number | slot slot-number | user-mac mac-address | user-name user-name ] In IRF mode: display mac-authentication connection [ open ] [ chassis chassis-number slot slot-number | interface interface-type interface-number | user-mac mac-address | user-name user-name ]
Display the MAC addresses of MAC authentication users in a type of MAC authentication VLAN or VSI.	display mac-authentication mac-address { critical-vlan | critical-vsi | guest-vlan | guest-vsi } [ interface interface-type interface-number ]
Clear MAC authentication statistics.	reset mac-authentication statistics [ interface interface-type interface-number ]
Remove users from the MAC authentication critical VLAN on a port.	reset mac-authentication critical vlan interface interface-type interface-number [ mac-address mac-address ]
Remove users from the MAC authentication critical voice VLAN on a port.	reset mac-authentication critical-voice-vlan interface interface-type interface-number [ mac-address mac-address ]
Remove users from the MAC authentication guest VLAN on a port.	reset mac-authentication guest-vlan interface interface-type interface-number [ mac-address mac-address ]
Remove users from the MAC authentication critical VSI on a port.	reset mac-authentication critical vsi interface interface-type interface-number [ mac-address mac-address ]
Remove users from the MAC authentication guest VSI on a port.	reset mac-authentication guest-vsi interface interface-type interface-number [ mac-address mac-address ]

 

MAC authentication configuration examples

Example: Configuring local MAC authentication

Network configuration

As shown in Figure 4, the device performs local MAC authentication on HundredGigE 1/0/1 to control Internet access of users.

Configure the device to meet the following requirements:

·     Detect whether a user has gone offline every 180 seconds.

·     Deny a user for 180 seconds if the user fails MAC authentication.

·     Authenticate all users in ISP domain bbb.

·     Use the MAC address of each user as both the username and password for authentication. The MAC addresses are in the hexadecimal notation with hyphens, and letters are in lower case.

Figure 4 Network diagram

‌

Procedure

# Add a network access local user. In this example, configure both the username and password as Host A's MAC address 00-e0-fc-12-34-56.

<Device> system-view

[Device] local-user 00-e0-fc-12-34-56 class network

[Device-luser-network-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56

# Specify the LAN access service for the user.

[Device-luser-network-00-e0-fc-12-34-56] service-type lan-access

[Device-luser-network-00-e0-fc-12-34-56] quit

# Configure ISP domain bbb to perform local authentication for LAN users.

[Device] domain bbb

[Device-isp-bbb] authentication lan-access local

[Device-isp-bbb] quit

# Enable MAC authentication on HundredGigE 1/0/1.

[Device] interface hundredgige 1/0/1

[Device-HundredGigE1/0/1] mac-authentication

[Device-HundredGigE1/0/1] quit

# Specify ISP domain bbb as the MAC authentication domain.

[Device] mac-authentication domain bbb

# Configure MAC authentication timers.

[Device] mac-authentication timer offline-detect 180

[Device] mac-authentication timer quiet 180

# Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in the hexadecimal notation with hyphens, and letters are in lower case.

[Device] mac-authentication user-name-format mac-address with-hyphen lowercase

# Enable MAC authentication globally.

[Device] mac-authentication

Verifying the configuration

# Display MAC authentication settings and statistics to verify your configuration.

[Device] display mac-authentication

 Global MAC authentication parameters:

   MAC authentication                  : Enabled

   Authentication method               : PAP

   User name format                    : MAC address in lowercase(xx-xx-xx-xx-xx-xx)

           Username                    : mac

           Password                    : Not configured

   Offline detect period               : 180 s

   Quiet period                        : 180 s

   Server timeout                      : 100 s

   Reauth period                       : 3600 s

   User aging period for critical VLAN : 1000 s

   User aging period for critical VSI  : 1000 s

   User aging period for guest VLAN    : 1000 s

   User aging period for guest VSI     : 1000 s

   Authentication domain               : bbb

 Online MAC-auth wired users           : 1

 

 Silent MAC users:

          MAC address       VLAN ID  From port               Port index

          00e0-fc11-1111    8        HGE1/0/1                1

 

 HundredGigE1/0/1 is link-up

   MAC authentication               : Enabled

   Carry User-IP                    : Disabled

   Authentication domain            : Not configured

   Auth-delay timer                 : Disabled

   Periodic reauth                  : Disabled

   Re-auth server-unreachable       : Logoff

   Guest VLAN                       : Not configured

   Guest VLAN auth-period           : 30 s

   Critical VLAN                    : Not configured

   Critical voice VLAN              : Disabled

   Host mode                        : Single VLAN

   Offline detection                : Enabled

   Authentication order             : Default

   User aging                       : Enabled

   Server-recovery online-user-sync : Enabled

 

   Guest VSI                        : Not configured

   Guest VSI auth-period            : 30 s

   Critical VSI                     : Not configured

   Auto-tag feature                 : Disabled

   VLAN tag configuration ignoring  : Disabled

   Max online users                 : 4294967295

   Authentication attempts          : successful 1, failed 0

   Current online users             : 1

          MAC address       Auth state

          00e0-fc12-3456    Authenticated

The output shows that Host A has passed MAC authentication and has come online. Host B failed MAC authentication and its MAC address is marked as a silent MAC address.

Example: Configuring RADIUS-based MAC authentication

Network configuration

As shown in Figure 5, the device uses RADIUS servers to perform authentication, authorization, and accounting for users. The RADIUS servers use the CHAP authentication method.

To control user access to the Internet by MAC authentication, perform the following tasks:

·     Enable MAC authentication globally and on HundredGigE 1/0/1.

·     Configure the device to use CHAP for MAC authentication.

·     Configure the device to detect whether a user has gone offline every 180 seconds.

·     Configure the device to deny a user for 180 seconds if the user fails MAC authentication.

·     Configure all users to belong to ISP domain bbb.

·     Use a shared user account for all users, with username aaa and password 123456.

Figure 5 Network diagram

‌

Procedure

Make sure the RADIUS servers and the access device can reach each other.

1.     Configure the RADIUS servers to provide authentication, authorization, and accounting services. Create a shared account with username aaa and password 123456 for MAC authentication users. (Details not shown.)

2.     Configure RADIUS-based MAC authentication on the device:

# Configure a RADIUS scheme.

<Device> system-view

[Device] radius scheme 2000

[Device-radius-2000] primary authentication 10.1.1.1 1812

[Device-radius-2000] primary accounting 10.1.1.2 1813

[Device-radius-2000] key authentication simple abc

[Device-radius-2000] key accounting simple abc

[Device-radius-2000] user-name-format without-domain

[Device-radius-2000] quit

# Specify CHAP as the authentication method for MAC authentication.

[Device] mac-authentication authentication-method chap

# Apply the RADIUS scheme to ISP domain bbb for authentication, authorization, and accounting.

[Device] domain bbb

[Device-isp-bbb] authentication default radius-scheme 2000

[Device-isp-bbb] authorization default radius-scheme 2000

[Device-isp-bbb] accounting default radius-scheme 2000

[Device-isp-bbb] quit

# Enable MAC authentication on HundredGigE 1/0/1.

[Device] interface hundredgige 1/0/1

[Device-HundredGigE1/0/1] mac-authentication

[Device-HundredGigE1/0/1] quit

# Specify the MAC authentication domain as ISP domain bbb.

[Device] mac-authentication domain bbb

# Set MAC authentication timers.

[Device] mac-authentication timer offline-detect 180

[Device] mac-authentication timer quiet 180

# Specify username aaa and password 123456 in plain text for the account shared by MAC authentication users.

[Device] mac-authentication user-name-format fixed account aaa password simple 123456

# Enable MAC authentication globally.

[Device] mac-authentication

Verifying the configuration

# Verify the MAC authentication configuration.

[Device] display mac-authentication

 Global MAC authentication parameters:

   MAC authentication                  : Enabled

   Authentication method               : CHAP

   Username format                     : Fixed account

           Username                    : aaa

           Password                    : ******

   Offline detect period               : 180 s

   Quiet period                        : 180 s

   Server timeout                      : 100 s

   Reauth period                       : 3600 s

   User aging period for critical VLAN : 1000 s

   User aging period for critical VSI  : 1000 s

   User aging period for guest VLAN    : 1000 s

   User aging period for guest VSI     : 1000 s

   Authentication domain               : bbb

 Online MAC-auth wired users           : 1

 

 Silent MAC users:

          MAC address       VLAN ID  From port               Port index

 

 HundredGigE1/0/1  is link-up

   MAC authentication               : Enabled

   Carry User-IP                    : Disabled

   Authentication domain            : Not configured

   Auth-delay timer                 : Disabled

   Periodic reauth                  : Disabled

   Re-auth server-unreachable       : Logoff

   Guest VLAN                       : Not configured

   Guest VLAN auth-period           : 30 s

   Critical VLAN                    : Not configured

   Critical voice VLAN              : Disabled

   Host mode                        : Single VLAN

   Offline detection                : Enabled

   Authentication order             : Default

   User aging                       : Enabled

   Server-recovery online-user-sync : Enabled

 

   Guest VSI                        : Not configured

   Guest VSI auth-period            : 30 s

   Critical VSI                     : Not configured

   Auto-tag feature                 : Disabled

   VLAN tag configuration ignoring  : Disabled

   Max online users                 : 4294967295

   Authentication attempts          : successful 1, failed 0

   Current online users             : 1

          MAC address       Auth state

          00e0-fc12-3456    Authenticated

Example: Configuring ACL assignment for MAC authentication

Network configuration

As shown in Figure 6, configure the device to meet the following requirements:

·     Use RADIUS servers to perform authentication, authorization, and accounting for users.

·     Perform MAC authentication on HundredGigE 1/0/1 to control Internet access.

·     Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in the hexadecimal notation with hyphens, and letters are in lower case.

·     Use an ACL to deny authenticated users to access the FTP server at 10.0.0.1.

Figure 6 Network diagram

‌

Procedure

Make sure the RADIUS servers and the access device can reach each other.

1.     Configure the RADIUS servers:

# Configure the RADIUS servers to provide authentication, authorization, and accounting services. (Details not shown.)

# Add a user account with 00-e0-fc-12-34-56 as both the username and password on each RADIUS server. (Details not shown.)

# Specify ACL 3000 as the authorization ACL for the user account. (Details not shown.)

2.     Configure ACL 3000 to deny packets destined for 10.0.0.1 on the device.

<Device> system-view

[Device] acl advanced 3000

[Device-acl-ipv4-adv-3000] rule 0 deny ip destination 10.0.0.1 0

[Device-acl-ipv4-adv-3000] quit

3.     Configure RADIUS-based MAC authentication on the device:

# Configure a RADIUS scheme.

[Device] radius scheme 2000

[Device-radius-2000] primary authentication 10.1.1.1 1812

[Device-radius-2000] primary accounting 10.1.1.2 1813

[Device-radius-2000] key authentication simple abc

[Device-radius-2000] key accounting simple abc

[Device-radius-2000] user-name-format without-domain

[Device-radius-2000] quit

# Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting.

[Device] domain bbb

[Device-isp-bbb] authentication default radius-scheme 2000

[Device-isp-bbb] authorization default radius-scheme 2000

[Device-isp-bbb] accounting default radius-scheme 2000

[Device-isp-bbb] quit

# Specify the ISP domain for MAC authentication.

[Device] mac-authentication domain bbb

# Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in the hexadecimal notation with hyphens, and letters are in lower case.

[Device] mac-authentication user-name-format mac-address with-hyphen lowercase

# Enable MAC authentication on HundredGigE 1/0/1.

[Device] interface hundredgige 1/0/1

[Device-HundredGigE1/0/1] mac-authentication

[Device-HundredGigE1/0/1] quit

# Enable MAC authentication globally.

[Device] mac-authentication

Verifying the configuration

# Verify the MAC authentication configuration.

[Device] display mac-authentication

 Global MAC authentication parameters:

   MAC authentication                  : Enable

   Authentication method               : PAP

   Username format                     : MAC address in lowercase(xx-xx-xx-xx-xx-xx)

           Username                    : mac

           Password                    : Not configured

   Offline detect period               : 300 s

   Quiet period                        : 60 s

   Server timeout                      : 100 s

   Reauth period                       : 3600 s

   User aging period for critical VLAN : 1000 s

   User aging period for critical VSI  : 1000 s

   User aging period for guest VLAN    : 1000 s

   User aging period for guest VSI     : 1000 s

   Authentication domain               : bbb

 Online MAC-auth wired users           : 1

 

 Silent MAC users:

          MAC address       VLAN ID  From port               Port index

 

 HundredGigE1/0/1  is link-up

   MAC authentication               : Enabled

   Carry User-IP                    : Disabled

   Authentication domain            : Not configured

   Auth-delay timer                 : Disabled

   Periodic reauth                  : Disabled

   Re-auth server-unreachable       : Logoff

   Guest VLAN                       : Not configured

   Guest VLAN auth-period           : 30 s

   Critical VLAN                    : Not configured

   Critical voice VLAN              : Disabled

   Host mode                        : Single VLAN

   Offline detection                : Enabled

   Authentication order             : Default

   User aging                       : Enabled

   Server-recovery online-user-sync : Enabled

 

   Guest VSI                        : Not configured

   Guest VSI auth-period            : 30 s

   Critical VSI                     : Not configured

   Auto-tag feature                 : Disabled

   VLAN tag configuration ignoring  : Disabled

   Max online users                 : 4294967295

   Authentication attempts          : successful 1, failed 0

   Current online users             : 1

          MAC address       Auth state

          00e0-fc12-3456    Authenticated

# Verify that you cannot ping the FTP server from the host.

C:\>ping 10.0.0.1

 

Pinging 10.0.0.1 with 32 bytes of data:

 

Request timed out.

Request timed out.

Request timed out.

Request timed out.

 

Ping statistics for 10.0.0.1:

   Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

The output shows that ACL 3000 has been assigned to HundredGigE 1/0/1 to deny access to the FTP server.

Example: Configuring MAC authentication authorization VSI assignment

Network configuration

As shown in Figure 7, configure the device to meet the following requirements:

·     Use RADIUS servers to perform authentication, authorization, and accounting for users.

·     Perform MAC authentication on HundredGigE 1/0/1 to control Internet access.

·     Configure the RADIUS server to assign VSI bbb to the host when the host passes MAC authentication.

·     Authenticate all users in ISP domain 2000.

·     Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in the hexadecimal notation with hyphens, and letters are in lower case.

Figure 7 Network diagram

‌

Procedure

Make sure the RADIUS servers and the access device can reach each other.

1.     Configure the RADIUS servers:

# Configure the RADIUS servers to provide authentication, authorization, and accounting services. (Details not shown.)

# Add a user account with d4-85-64-be-c6-3e as both the username and password on each RADIUS server. (Details not shown.)

# Specify VSI bbb as the authorization VSI for the user account. (Details not shown.)

 

NOTE: If an H3C ADCAM server is used for authentication and authorization, configure VSIs on the server. The server will assign these VSIs to the device. You do not need to configure VSIs on the device.

 

2.     Configure RADIUS-based MAC authentication on the device:

# Configure a RADIUS scheme.

<Device> system-view

[Device] radius scheme bbb

[Device-radius-bbb] primary authentication 10.1.1.1

[Device-radius-bbb] primary accounting 10.1.1.2

[Device-radius-bbb] key authentication simple bbb

[Device-radius-bbb] key accounting simple bbb

[Device-radius-bbb] user-name-format without-domain

[Device-radius-bbb] quit

# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting.

[Device] domain 2000

[Device-isp-2000] authentication lan-access radius-scheme bbb

[Device-isp-2000] authorization lan-access radius-scheme bbb

[Device-isp-2000] accounting lan-access radius-scheme bbb

[Device-isp-2000] quit

# Enable MAC authentication on HundredGigE 1/0/1.

[Device] interface hundredgige 1/0/1

[Device-HundredGigE1/0/1] mac-authentication

# Enable the MAC match mode for dynamic Ethernet service instances on HundredGigE 1/0/1.

[Device-HundredGigE1/0/1] mac-based ac

[Device-HundredGigE1/0/1] quit

# Enable L2VPN.

[Device] l2vpn enable

# Create a VSI named bbb and the associated VXLAN.

[Device] vsi bbb

[Device-vsi-bbb] vxlan 5

[Device-vsi-bbb-vxlan-5] quit

# Specify the ISP domain for MAC authentication.

[Device] mac-authentication domain 2000

# Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in the hexadecimal notation with hyphens, and letters are in lower case.

[Device] mac-authentication user-name-format mac-address with-hyphen lowercase

# Enable MAC authentication globally.

[Device] mac-authentication

Verifying the configuration

# Verify that VSI bbb is assigned to the MAC authentication user after the user passes authentication.

[Device] display mac-authentication connection

Total connections: 1

Slot ID: 1

User MAC address: d485-64be-c63e

Access interface: HundredGigE1/0/1

Username: d4-85-64-be-c6-3e

User access state: Successful

Authentication domain: 2000

IPv4 address: 192.168.1.1

IPv6 address: 2000:0:0:0:1:2345:6789:abcd

Initial VLAN: 1

Authorization untagged VLAN: N/A

Authorization tagged VLAN: N/A

Authorization VSI: bbb

Authorization ACL ID: N/A

Authorization CAR: N/A

Authorization URL: N/A

Termination action: N/A

Session timeout period: N/A

Offline detection: 300 sec (server-assigned)

Online from: 2016/06/13 09:06:37

Online duration: 0h 0m 35s

# Verify that a dynamic AC is created for MAC address d485-64be-c63e.

[Device] display l2vpn forwarding ac verbose

VSI Name: bbb

  Interface: HGE1/0/1  Service Instance: 1

    Link ID      : 0

    Access Mode  : VLAN

    Encapsulation: untagged

    Type         : Dynamic (MAC-based)

    MAC address  : d485-64be-c63e