Login
- Table of Contents
-
- H3C Campus Fixed-Port Switches Web-Based Quick Start Configuration Guide-6W100
- 01-Compatible Product Models
- 02-Configuring Web Login with the Default IP
- 03-Web Login to a Device Without a Default IP
- 04-Interface Settings
- 05-PoE
- 06-VLAN
- 07-DHCP Server
- 08-DHCP Relay Agent
- 09-Static Routing
- 10-Policy-Based Routing
- 11-Ethernet Link Aggregation
- 12-Port Mirroring
- 13-Packet Filtering
- 14-Interface Rate Limit
- 15-Traffic Constrain
- 16-Spanning Tree
- 17-Direct Portal Authentication
- 18-Port Security
- 19-Port Isolation
- 20-ARP Attack Protection
- 21-Configuring a Static ARP Entry
- 22-IGMP Snooping
- 23-Enabling IPSG on an Interface
- 24-Software Upgrade
- 25-Adding Administrator Accounts
- 26-Ping and Tracert
- 27-Password Change
- 28-System Time
- 29-System Log
- 30-Configuration Backup, Export, Restoration to Factory Default
- 31-Device Reboot
- 32-Small-Sized Campus Network Configuration Guide
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 18-Port Security | 577.09 KB |
Port Security Quick Start Configuration Guide
Network configuration
As shown in Figure 1, configure port GigabitEthernet 1/0/1 on the switch to permit one 802.1X user and one endpoint with an OUI in the list of permitted OUIs to access the network.
To meet this requirement, enable port security and uses the following settings for authentication:
· Use a RADIUS server to authenticate the 802.1X user in the portsec ISP domain. In this example, the RADIUS server is located at IP address 10.1.1.1/24 and it provides authentication and authorization at port 1812 and provides accounting services at port 1813.
· Configure the switch and the RADIUS server to use the shared key name for secure RADIUS communication.
· Add OUIs 1234-0100-1111, 1234-0200-1111, 1234-0300-1111, 1234-0400-1111, and 1234-0500-1111 to the OUI list.
|
|
NOTE: An OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In MAC addresses, the first three octets are the OUI. If you enter the complete MAC address when you add an OUI, the system will add only the first 24 bits. |
Restrictions and guidelines
The OUIs specified for port security apply only to ports operating in userLoginWithOUI mode. In userLoginWithOUI mode, a port allows one 802.1 user and one endpoint whose MAC address matches one of the specified OUIs to access the network.
Procedures
Assigning IP addresses to the network interfaces
Details not shown.
Configuring the switch
1. Configure a RADIUS scheme:
a. From the left navigation pane, select Security > Authentication > RADIUS.
b. Click the Add icon 
at the
upper right of the page to add a RADIUS scheme:
c. Set the scheme name to portsec.
d. Configure the primary authentication server.
Set its IP address to 10.1.1.1, port number to 1812, and shared key to name.
Set its state to Active, and then click the Add icon next
to it to add the primary authentication server.
e. Configure the primary accounting server. Set
its IP address to 10.1.1.1, port number to 1813, and shared key to name.
Set its state to Active, and then click the Add icon next to it to add the primary accounting server.
Figure 2 Adding a RADIUS scheme
f. Click Show advanced settings.
g. Select Excludes the domain name from the Format for the usernames sent to the RADIUS server list.
h. Click Apply.
The system displays a success message after it adds the RADIUS scheme.
Figure 3 Adding a RADIUS scheme
2. Configure the ISP domain for the users:
a. From the left navigation pane, select Security > Authentication > ISP Domains.
b. Click the Add icon at the
upper right of the page to add an ISP domain.
c. Set the domain name to portsec and set its state to Active.
d. Set the service type to LAN access.
e. Select RADIUS for authentication, authorization, and accounting and select the portsec RADIUS scheme as the scheme for each of them.
f. Click Apply.
The system displays a success message after it adds the ISP domain.
Figure 4 Adding an ISP domain
3. Configure port security:
a. From the left navigation pane, select Security > Access Control > Port Security.
b. Click Enable Port Security to enable the port security feature on the switch.
c. Click Advanced Settings next to port GigabitEthernet1/0/1.
d. On the page that opens, set the port security mode to userLoginWithOUI.
e. On the 802.1X tab, select portsec as the mandatory ISP domain for the 802.1X users attached to the port.
f. Click Apply.
The system displays a success message after it configures the port with the advanced settings.
Figure 5 Configuring a port with advanced settings
g. Click the Settings icon 
at the
upper right of the port security configuration page.
h. On the page that opens, add OUIs to the OUI list as planned. In this example, add OUIs 1234-0100-1111, 1234-0200-1111, 1234-0300-1111, 1234-0400-1111, and 1234-0500-1111 to the OUI list.
Figure 6 Configuring advanced settings for port security
4. Save the configuration:
Click the Save icon 
at the upper left of the page.
Configuring the RADIUS server
Add user accounts on the RADIUS server and make sure it can provide authentication, authorization, and accounting services.
For more information about configuring user accounts on the RADIUS server, see the user guide for the RADIUS server.
Verifying the configuration
1. On the Security > Authentication > RADIUS page, verify that the portsec RADIUS scheme has been added correctly.
2. On the Security > Authentication > ISP Domains page, verify that the portsec ISP domain has been added correctly.
3. After the 802.1X user comes online, access the Security > Access Control > Port Security page to verify that the number of users on GigabitEthernet 1/0/1 is 1.
