Login
- Table of Contents
-
- 07-Security Configuration Guide
- 00-Preface
- 01-Security Overview
- 02-AAA Configuration
- 03-802.1X Configuration
- 04-MAC Authentication Configuration
- 05-Port Security Configuration
- 06-Public Key Configuration
- 07-PKI Configuration
- 08-SSH Configuration
- 09-SSL Configuration
- 10-User Isolation Configuration
- 11-Portal Configuration
- 12-IPsec Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-MAC Authentication Configuration | 81.64 KB |
Configuring MAC authentication
Using MAC authentication with other features
Basic configuration for MAC authentication
Configuring MAC authenticationglobally
Configuring MAC authentication on a port
Specifying a MACauthentication domain
Displaying and maintaining MAC authentication
MAC authentication configuration example
Overview
MAC authentication controls network access by authenticating source MAC addresses on a port.Itdoes not requireclient software and users do not need to enter a username and password for network access. The device initiates a MAC authentication process whenit detects an unknown source MAC address on a MAC authentication enabled port.If theMAC address passes authentication, the user can access authorized network resources. If the authentication fails, the device marks the MAC address as a silent MAC address, drops the packet, and starts a quiet timer. The device drops all subsequent packets from theMAC address within the quiet time.Thequietmechanism avoidsrepeated authentication during a short time.
|
|
NOTE: If the MAC address that has failed authentication is a static MAC address or a MAC address that has passed any security authentication, the device does not mark it as a silent address. |
User account policies
MAC authentication supports the followinguser account policies:
· One MAC-based user account for each user. The access device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication. This policy is suitable for an insecure environment.
· One shared user account for all users. You specify one username and password, which are not necessarily a MAC address, for all MAC authentication users on the access device. This policy is suitable for a secure environment.
Authentication approaches
You can perform MAC authentication on the access device (local authentication) or through a RADIUSserver.
Suppose a source MAC unknown packet arrives at a MAC authentication enabled port.
Local authentication:
· If MAC-based accounts are used, the access device uses the source MAC address of the packet as the username and password to search its local account database for a match.
· If a shared account is used, the access device uses the shared account username and password to search its local account database for a match.
RADIUS authentication:
· If MAC-based accounts are used, the access device sends the source MAC address as the username and password to the RADIUS server for authentication.
· If a shared account is used, the access device sends the shared account username and password to the RADIUS server for authentication.
For more information about configuring local authentication and RADIUS authentication, see "Configuring AAA."
MAC authentication timers
MAC authentication uses the followingtimers:
· Offline detect timer—Sets the interval that the device waits for traffic from a user before it regards the user idle. If a user connection has been idle fortwoconsecutive intervals, the device logs theuser out and stops accounting for the user.
· Quiet timer—Sets the interval that the device must wait before it can perform MAC authentication for a user that has failed MAC authentication. All packets from the MAC address are dropped during the quiet time. This quiet mechanism prevents repeated authenticationfrom affecting system performance.
· Server timeout timer—Sets the interval that the access device waits for a response from a RADIUS server before it regards the RADIUS server unavailable.If the timer expires during MAC authentication, the usercannot access the network.
Using MAC authentication with other features
VLAN assignment
You can specifya VLAN in the user account for a MAC authentication user to control its access to network resources. After the user passes MAC authentication, the authentication server, either the local access device or a RADIUS server, assigns the VLAN to the port as the default VLAN. After the user logs off, the initial default VLAN, or the default VLAN configured before any VLAN is assigned by the authentication server, restores.If the authentication server assignsno VLAN,the initial default VLAN applies.
A hybrid port is always assigned to a server-assigned VLAN as an untagged member. After the assignment, do not re-configure the port as a tagged member in the VLAN.
If MAC-based VLAN is enabled on a hybrid port, the device maps the server-assigned VLAN to the MAC address of the user. The default VLAN of the hybrid portdoes not change.
ACLassignment
You can specify an ACL in the user account for a MAC authentication user to control its access to network resources. After the user passes MAC authentication, the authentication server, either the local access device or a RADIUS server, assigns the ACL to the access port to filter the traffic from this user. You must configure the ACL on the access device for the ACL assignment function. You can change ACL rules while the user is online.
Configuration task list
|
Task |
Remarks |
|
|
Required. |
||
|
Required. |
||
|
Optional. |
||
Basic configuration for MAC authentication
Before you perform basic configuration for MAC authentication, complete the following tasks:
· Create and configure an authentication domain, also called "an ISP domain."
· For local authentication, create local user accounts, and specify thelan-access service for the accounts.
· For RADIUS authentication, checkthat the device and the RADIUS server can reach each other, and createuser accounts on the RADIUS server.
If you are using MAC-based accounts, make sure the username and password for each account is the same as the MAC address of the MAC authentication users.
Configuring MAC authenticationglobally
MAC authentication can take effect on a port only when it is enabled globally and on the port.
To configure MAC authentication globally:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable MAC authentication globally. |
mac-authentication |
Disabled by default. |
|
3. Configure MAC authentication timers. |
mac-authenticationtimer {offline-detect offline-detect-value | quiet quiet-value | server-timeout server-timeout-value } |
Optional. By default, the offline detect timer is 300 seconds, the quiet timer is 60 seconds, and the server timeout timer is 100 seconds. |
|
4. Configure the properties of MAC authentication user accounts. |
mac-authentication user-name-format { fixed [ accountname ] [ password { cipher | simple } password ]| mac-address [ { with-hyphen | without-hyphen } [ lowercase | uppercase ] ] } |
Optional. By default, the username and password for a MAC authentication user account must be aMAC addressin lower case.The MAC address is not hyphen separated. |
Configuring MAC authentication on a port
You cannot add a MAC authentication enabled port to a link aggregation group, or enable MAC authentication on a port already in a link aggregation group.
To configure MAC authenticationon a port:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable MAC authentication. |
· (Approach 1) In system view:mac-authenticationinterface interface-list · (Approach 2) In Ethernet interface view: a. interface interface-type interface-number b. mac-authentication |
Use either approach. Disabled by default. Enable MAC authentication for ports in bulk in system view or an individual port in Ethernet interface view. |
|
3. Set the maximum number of concurrent MAC authentication users allowed on a port. |
mac-authentication max-user user-number |
Optional. The default setting is 128. |
|
|
NOTE: When both (and only both) 802.1X authentication and MAC authentication are enabled on a port, the device waits for 30 seconds before performing MAC authentication for a non-802.1X user that first accesses the network from the port. |
Specifying a MACauthentication domain
By default, MAC authentication users are in the system default authentication domain. To implementdifferent access policies for users, you can specify authentication domainsfor MAC authentication usersin the following ways:
· Specify a global authentication domain in system view. This domain setting applies to all ports.
· Specify anauthentication domain for an individual port in interface view.
MAC authentication chooses an authentication domain for users on a port in the followingorder: the port-specific domain, the global domain, and the default domain. For more information about authentication domains, see"Configuring AAA."
To specify an authentication domain for MAC authentication users:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify an authentication domain for MAC authentication users. |
· (Approach 1) In system view:mac-authentication domain domain-name · (Approach 2) In Ethernet interface or WLAN-BSS interface view: a. interface interface-type interface-number b. mac-authentication domain domain-name |
Use either approach. By default, the system default authentication domain is used for MAC authentication users. |
Displaying and maintaining MAC authentication
|
Task |
Command |
Remarks |
|
Display MAC authentication information. |
display mac-authentication [ interfaceinterface-list ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Clear MAC authentication statistics. |
reset mac-authentication statistics [ interface interface-list ] |
Available in user view. |
MAC authentication configuration example
For information about MAC authentication configuration examples, see "Configuring port security."
