11-User Access and Authentication Configuration Guide

HomeSupportResource CenterH3C Access Points Cloud Mode Configuration Guides(E2442 R2442)-6W10011-User Access and Authentication Configuration Guide
07-Port security configuration
Title Size Download
07-Port security configuration 127.12 KB

Configuring port security

About port security

Port security combines and extends 802.1X and MAC authentication to provide MAC-based network access control. The feature applies to ports that use different authentication methods for users.

Major functions

Port security provides the following functions:

·     Prevents unauthorized access to a network by checking the source MAC address of inbound traffic.

·     Prevents access to unauthorized devices or hosts by checking the destination MAC address of outbound traffic.

·     Controls MAC address learning and authentication on a port to make sure the port learns only source trusted MAC addresses.

Port security features

NTK

The need to know (NTK) feature prevents traffic interception by checking the destination MAC address in the outbound frames. The feature ensures that frames are sent only to the following hosts:

·     Hosts that have passed authentication.

·     Hosts whose MAC addresses have been learned or configured on the access device.

Intrusion protection

The intrusion protection feature checks the source MAC address in inbound frames for illegal frames, and takes a predefined action on each detected illegal frame. The action can be disabling the port temporarily, disabling the port permanently, or blocking frames from the illegal MAC address for 3 minutes (not user configurable).

A frame is illegal if its source MAC address cannot be learned in a port security mode or it is from a client that has failed 802.1X or MAC authentication.

Port security modes

Port security supports the following categories of security modes:

·     MAC learning control—Includes two modes: autoLearn and secure. MAC address learning is permitted on a port in autoLearn mode and disabled in secure mode.

·     Authentication—Security modes in this category implement MAC authentication, 802.1X authentication, or a combination of these two authentication methods.

Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the predefined NTK or intrusion protection action, or sends SNMP notifications. Outgoing frames are not restricted by port security's NTK action unless they trigger the NTK feature.

Table 1 describes the port security modes and the security features.

Table 1 Port security modes

Purpose

Security mode

Features that can be triggered

Turning off the port security feature

noRestrictions (the default mode)

In this mode, port security is disabled on the port and access to the port is not restricted.

N/A

Controlling MAC address learning

autoLearn

NTK/intrusion protection

secure

Performing 802.1X authentication

userLogin

N/A

userLoginSecure

NTK/intrusion protection

userLoginSecureExt

userLoginWithOUI

Performing MAC authentication

macAddressWithRadius

NTK/intrusion protection

Performing a combination of MAC authentication and 802.1X authentication

Or

macAddressOrUserLoginSecure

NTK/intrusion protection

macAddressOrUserLoginSecureExt

Else

macAddressElseUserLoginSecure

macAddressElseUserLoginSecureExt

 

The mode names are illustrated as follows:

·     userLogin specifies 802.1X authentication and port-based access control. userLogin with Secure specifies 802.1X authentication and MAC-based access control. Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A security mode without Ext allows only one user to pass 802.1X authentication.

·     macAddress specifies MAC authentication.

·     Else specifies that the authentication method before Else is applied first. If the authentication fails, whether to turn to the authentication method following Else depends on the protocol type of the authentication request.

·     Or specifies that the authentication method following Or is applied first. If the authentication fails, the authentication method before Or is applied.

Controlling MAC address learning

·     autoLearn.

A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, these MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.

A port in autoLearn mode allows frames sourced from the following MAC addresses to pass:

¡     Secure MAC addresses.

¡     MAC addresses configured by using the mac-address static command.

When the number of secure MAC addresses reaches the upper limit, the port transitions to secure mode.

·     secure.

MAC address learning is disabled on a port in secure mode. You can configure MAC addresses by using the mac-address static command. For more information about configuring MAC address table entries, see Network Connectivity Configuration Guide.

A port in secure mode allows only frames sourced from the following MAC addresses to pass:

¡     Secure MAC addresses.

¡     MAC addresses configured by using the mac-address dynamic and mac-address static commands.

Performing 802.1X authentication

·     userLogin.

A port in this mode performs 802.1X authentication and implements port-based access control. The port can service multiple 802.1X users. Once an 802.1X user passes authentication on the port, any subsequent 802.1X users can access the network through the port without authentication.

·     userLoginSecure.

A port in this mode performs 802.1X authentication and implements MAC-based access control. The port services only one user passing 802.1X authentication.

·     userLoginSecureExt.

This mode is similar to the userLoginSecure mode except that this mode supports multiple online 802.1X users.

·     userLoginWithOUI.

This mode is similar to the userLoginSecure mode. The difference is that a port in this mode also permits frames from one user whose MAC address contains a specific OUI.

In this mode, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication. The port permits frames that pass OUI check or 802.1X authentication.

 

 

NOTE:

An OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In MAC addresses, the first three octets are the OUI.

 

Performing MAC authentication

macAddressWithRadius: A port in this mode performs MAC authentication, and services multiple users.

Performing a combination of MAC authentication and 802.1X authentication

·     macAddressOrUserLoginSecure.

This mode is the combination of the macAddressWithRadius and userLoginSecure modes. The mode allows one 802.1X authentication user and multiple MAC authentication users to log in.

In this mode, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed.

·     macAddressOrUserLoginSecureExt.

This mode is similar to the macAddressOrUserLoginSecure mode, except that this mode supports multiple 802.1X and MAC authentication users.

·     macAddressElseUserLoginSecure.

This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies. The mode allows one 802.1X authentication user and multiple MAC authentication users to log in.

In this mode, the port performs MAC authentication upon receiving non-802.1X frames. Upon receiving 802.1X frames, the port performs MAC authentication and then, if the authentication fails, 802.1X authentication.

·     macAddressElseUserLoginSecureExt.

This mode is similar to the macAddressElseUserLoginSecure mode except that this mode supports multiple 802.1X and MAC authentication users as the Ext keyword implies.

Restrictions and guidelines: Port security configuration

This feature applies to networks, such as a WLAN, that require different authentication methods for different users on a port.

As a best practice, use the 802.1X authentication or MAC authentication feature rather than port security for scenarios that require only 802.1X authentication or MAC authentication. For more information about 802.1X and MAC authentication, see "Configuring 802.1X" and "Configuring MAC authentication."

Port security tasks at a glance

To configure port security, perform the following tasks:

1.     Configuring basic features of port security

¡     Enabling port security

¡     Setting the port security mode

¡     Setting port security's limit on the number of secure MAC addresses on a port

¡     Configuring secure MAC addresses

¡     (Optional.) Configuring NTK

¡     (Optional.) Configuring intrusion protection

2.     (Optional.) Configuring extended features of port security

¡     Ignoring authorization information from the server

¡     Enabling MAC move

¡     Enabling the authorization-fail-offline feature

¡     Applying a NAS-ID profile to port security

The extended port security features can also take effect when port security is disabled but 802.1X or MAC authentication is enabled.

3.     (Optional.) Enabling SNMP notifications for port security

Enabling port security

Restrictions and guidelines

When you configure port security, follow these restrictions and guidelines:

·     When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state. Port security automatically modifies these settings in different security modes.

·     You can use the undo port-security enable command to disable port security. Because the command logs off online users, make sure no online users are present.

·     Enabling or disabling port security resets the following security settings to the default:

¡     802.1X access control mode, which is MAC-based.

¡     Port authorization state, which is auto.

For more information about 802.1X authentication and MAC authentication configuration, see "Configuring 802.1X" and "Configuring MAC authentication."

Prerequisites

Before you enable port security, disable 802.1X and MAC authentication globally.

Procedure

1.     Enter system view.

system-view

2.     Enable port security.

port-security enable

By default, port security is disabled.

Setting the port security mode

Restrictions and guidelines

You can specify a port security mode when port security is disabled, but your configuration cannot take effect.

Changing the port security mode of a port logs off the online users of the port.

Do not enable 802.1X authentication or MAC authentication on a port where port security is enabled.

After enabling port security, you can change the port security mode of a port only when the port is operating in noRestrictions (the default) mode. To change the port security mode for a port in any other mode, first use the undo port-security port-mode command to restore the default port security mode.

Prerequisites

Before you set a port security mode for a port, complete the following tasks:

·     Disable 802.1X and MAC authentication.

·     Verify that the port does not belong to any link aggregation group.

·     If you are configuring the autoLearn mode, set port security's limit on the number of secure MAC addresses. You cannot change the setting when the port is operating in autoLearn mode.

Procedure

1.     Enter system view.

system-view

2.     Set an OUI value for user authentication.

port-security oui index index-value mac-address oui-value

By default, no OUI values are configured for user authentication.

This command is required only for the userlogin-withoui mode.

You can set multiple OUIs, but when the port security mode is userlogin-withoui, the port allows one 802.1X user and only one user that matches one of the specified OUIs.

3.     Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

4.     Set the port security mode.

port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }

By default, a port operates in noRestrictions mode.

Setting port security's limit on the number of secure MAC addresses on a port

About this task

You can set the maximum number of secure MAC addresses that port security allows on a port for the following purposes:

·     Controlling the number of concurrent users on the port.

For a port operating in a security mode (except for autoLearn and secure), the upper limit equals the smaller of the following values:

¡     The limit of the secure MAC addresses that port security allows.

¡     The limit of concurrent users allowed by the authentication mode in use.

·     Controlling the number of secure MAC addresses on the port in autoLearn mode.

Port security's limit on the number of secure MAC addresses on a port is independent of the MAC learning limit described in MAC address table configuration. For more information about MAC address table configuration, see Network Connectivity Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

3.     Set the maximum number of secure MAC addresses allowed on a port.

port-security max-mac-count max-count

By default, port security does not limit the number of secure MAC addresses on a port.

Configuring secure MAC addresses

About secure MAC addresses

Secure MAC addresses are configured or learned in autoLearn mode. If the secure MAC addresses are saved, they can survive a device reboot. You can bind a secure MAC address only to one port in a VLAN.

The device supports static secure MAC addresses.

Table 2 Static secure MAC addresses

Type

Address sources

Aging mechanism

Can be saved and survive a device reboot?

Static

Manually added

Not available.

The static secure MAC addresses never age out unless you perform any of the following tasks:

·     Manually remove these MAC addresses.

·     Change the port security mode.

·     Disable the port security feature.

Yes.

 

When the maximum number of secure MAC address entries is reached, the port changes to secure mode. In secure mode, the port cannot add or learn any more secure MAC addresses. The port allows only frames sourced from secure MAC addresses or MAC addresses configured by using the mac-address static command to pass through.

Prerequisites

Before you configure secure MAC addresses, complete the following tasks:

·     Set port security's limit on the number of MAC addresses on the port. Perform this task before you enable autoLearn mode.

·     Set the port security mode to autoLearn.

·     Configure the port to permit packets of the specified VLAN to pass or add the port to the VLAN. Make sure the VLAN already exists.

Adding secure MAC addresses

1.     Enter system view.

system-view

2.     Configure a secure MAC address.

¡     Configure a secure MAC address in system view.

port-security mac-address security mac-address interface interface-type interface-number vlan vlan-id

¡     Execute the following commands in sequence to configure a secure MAC address in Layer 2 Ethernet interface view:

interface interface-type interface-number

port-security mac-address security mac-address vlan vlan-id

By default, no manually configured secure MAC addresses exist.

Configuring NTK

About this task

The NTK feature checks the destination MAC address in outbound frames to make sure frames are forwarded only to trustworthy devices.

The NTK feature supports the following modes:

·     ntkonly—Forwards only unicast frames with authenticated destination MAC addresses.

·     ntk-withbroadcasts—Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses.

·     ntk-withmulticasts—Forwards only broadcast frames, multicast frames, and unicast frames with authenticated destination MAC addresses.

Restrictions and guidelines

The NTK feature drops any unicast frame with an unknown destination MAC address.

Not all port security modes support triggering the NTK feature. For more information, see Table 1.

Procedure

1.     Enter system view.

system-view

2.     Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

3.     Configure the NTK feature.

port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly }

By default, NTK is disabled on a port and all frames are allowed to be sent.

Configuring intrusion protection

About this task

Intrusion protection takes one of the following actions on a port in response to illegal frames:

·     blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards the frames. All subsequent frames sourced from a blocked MAC address are dropped. A blocked MAC address is restored to normal state after being blocked for 3 minutes. The interval is fixed and cannot be changed.

·     disableport—Disables the port until you bring it up manually.

·     disableport-temporarily—Disables the port for a period of time. The period can be configured with the port-security timer disableport command.

Restrictions and guidelines

On a port operating in either macAddressElseUserLoginSecure mode or macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC authentication and 802.1X authentication fail for the same frame.

Procedure

1.     Enter system view.

system-view

2.     Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

3.     Configure the intrusion protection feature.

port-security intrusion-mode { blockmac | disableport | disableport-temporarily }

By default, intrusion protection is disabled.

4.     (Optional.) Set the silence timeout period during which a port remains disabled.

a.     quit

b.     port-security timer disableport time-value

By default, the port silence timeout period is 20 seconds.

Ignoring authorization information from the server

About this task

You can configure a port to ignore the authorization information received from the server (local or remote) after an 802.1X or MAC authentication user passes authentication.

Procedure

1.     Enter system view.

system-view

2.     Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

3.     Ignore the authorization information received from the authentication server.

port-security authorization ignore

By default, a port uses the authorization information received from the authentication server.

Enabling MAC move

About this task

MAC move allows 802.1X or MAC authenticated users to move between ports on a device. For example, if an authenticated 802.1X user moves to another 802.1X-enabled port on the device, the authentication session is deleted from the first port. The user is reauthenticated on the new port.

If MAC move is disabled, 802.1X or MAC users authenticated on one port cannot pass authentication after they move to another port.

802.1X or MAC authenticated users cannot move between ports on a device if the number of online users on the authentication server (local or remote) has reached the upper limit.

Restrictions and guidelines

As a best practice to minimize security risks, enable MAC move only if user roaming between ports is required.

Procedure

1.     Enter system view.

system-view

2.     Enable MAC move.

port-security mac-move permit

By default, MAC move is disabled.

Enabling the authorization-fail-offline feature

About this task

The authorization-fail-offline feature logs off port security users that have failed ACL or user profile authorization.

A user fails ACL or user profile authorization in the following situations:

·     The device fails to authorize the specified ACL or user profile to the user.

·     The server assigns a nonexistent ACL or user profile to the user.

This feature does not apply to users that fail VLAN authorization. The device logs off these users directly.

Procedure

1.     Enter system view.

system-view

2.     Enable the authorization-fail-offline feature.

port-security authorization-fail offline

By default, this feature is disabled, and the device does not log off users that fail ACL or user profile authorization.

Applying a NAS-ID profile to port security

About this task

By default, the device sends its device name in the NAS-Identifier attribute of all RADIUS requests.

A NAS-ID profile enables you to send different NAS-Identifier attribute strings in RADIUS requests from different VLANs. The strings can be organization names, service names, or any user categorization criteria, depending on the administrative requirements.

For example, map the NAS-ID companyA to all VLANs of company A. The device will send companyA in the NAS-Identifier attribute for the RADIUS server to identify requests from any Company A users.

Restrictions and guidelines

You can apply a NAS-ID profile to port security globally or on a port. On a port, the device selects a NAS-ID profile in the following order:

1.     The port-specific NAS-ID profile.

2.     The NAS-ID profile applied globally.

If no NAS-ID profile is applied or no matching binding is found in the selected profile, the device uses the device name as the NAS-ID.

For more information about the NAS-ID profile configuration, see "Configuring AAA."

Procedure

1.     Enter system view.

system-view

2.     Apply a NAS-ID profile.

¡     Apply a NAS-ID profile globally.

port-security nas-id-profile profile-name

¡     Execute the following commands in sequence to apply a NAS-ID profile to an interface:

interface interface-type interface-number

port-security nas-id-profile profile-name

By default, no NAS-ID profile is applied in system view or in Layer 2 Ethernet interface view.

Enabling SNMP notifications for port security

About this task

Use this feature to report critical port security events to an NMS. For port security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

Procedure

1.     Enter system view.

system-view

2.     Enable SNMP notifications for port security.

snmp-agent trap enable port-security [ address-learned | dot1x-failure | dot1x-logoff | dot1x-logon | intrusion | mac-auth-failure | mac-auth-logoff | mac-auth-logon ] *

By default, SNMP notifications are disabled for port security.

Display and maintenance commands for port security

Execute display commands in any view:

 

Task

Command

Display the port security configuration, operation information, and statistics.

display port-security [ interface interface-type interface-number ]

Display information about blocked MAC addresses.

display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

Display information about secure MAC addresses.

display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

 

Troubleshooting port security

Cannot set the port security mode

Symptom

Cannot set the port security mode for a port.

Analysis

For a port operating in a port security mode other than noRestrictions, you cannot change the port security mode by using the port-security port-mode command.

Solution

To resolve the issue:

1.     Set the port security mode to noRestrictions.

[Device-GigabitEthernet1/0/1] undo port-security port-mode

2.     Set a new port security mode for the port, for example, autoLearn.

[Device-GigabitEthernet1/0/1] port-security port-mode autolearn

3.     If the issue persists, contact H3C Support.

Cannot configure secure MAC addresses

Symptom

Cannot configure secure MAC addresses.

Analysis

No secure MAC address can be configured on a port operating in a port security mode other than autoLearn.

Solution

To resolve the issue:

1.     Set the port security mode to autoLearn.

[Device-GigabitEthernet1/0/1] undo port-security port-mode

[Device-GigabitEthernet1/0/1] port-security max-mac-count 64

[Device-GigabitEthernet1/0/1] port-security port-mode autolearn

[Device-GigabitEthernet1/0/1] port-security mac-address security 1-1-2 vlan 1

2.     If the issue persists, contact H3C Support.