Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-MAC Authentication Configuration Examples | 1.13 MB |
Example: Configuring local MAC authentication
Applicable hardware and software versions
Example: Configuring MAC authentication with authorization VSI assignment
Applicable hardware and software versions
Example: Configuring MAC authentication with ACL assignment
Applicable hardware and software versions
Example: Configuring MAC authentication with voice VLAN assignment
Introduction
The following information provides examples for configuring MAC authentication to ensure network access security.
Prerequisites
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The following information is provided based on the assumption that you have basic knowledge of MAC authentication.
Example: Configuring local MAC authentication
Network configuration
As shown in Figure 1, the device performs local MAC authentication on Twenty-FiveGigE 1/0/1 to control Internet access of users.
Configure the device to meet the following requirements:
· Detect whether a user has gone offline every 180 seconds.
· Deny a user for 180 seconds if the user fails MAC authentication.
· Authenticate all users in ISP domain bbb.
· Use the MAC address of each user as both the username and password for authentication. The MAC addresses are in hexadecimal notation with hyphens, and letters are in lower case. In this example, both the username and password are 08-00-27-00-98-d2.
Applicable hardware and software versions
The following matrix shows the hardware and software versions to which this configuration example is applicable:
|
Hardware |
Software version |
|
S6550X-HI switch series |
Release 1213P51 and later |
|
S6880 switch series |
Release 1213P51 and later |
|
S9820-8M switch |
Release 1213P51 and later |
|
S5580X-HI switch series |
Release 1213P50 and later |
|
S5580X-EI switch series |
Release 1213P50 and later |
|
S5580S-EI switch series |
Release 1213P50 and later |
Restrictions and guidelines
· To avoid valid users from being blocked, do not enable MAC authentication globally before you finish all settings.
· When you create a local user, the username and password must match the user account policy for MAC authentication. If MAC-based accounts are used, make sure the username and password of each user account are the same as the MAC address of the corresponding MAC authentication user.
Procedures
# Add a network access user, set both the username and password to the MAC address of the host, and allow the user to use the LAN access service.
<Device> system-view
[Device] local-user 08-00-27-00-98-d2 class network
[Device-luser-network-08-00-27-00-98-d2] password simple 08-00-27-00-98-d2
[Device-luser-network-08-00-27-00-98-d2] service-type lan-access
[Device-luser-network-08-00-27-00-98-d2] quit
# Configure ISP domain bbb to use local authentication for LAN users.
[Device] domain bbb
[Device-isp-bbb] authentication lan-access local
[Device-isp-bbb] quit
# Specify ISP domain bbb as the global MAC authentication domain.
[Device] mac-authentication domain bbb
# Configure MAC authentication timers.
[Device] mac-authentication timer offline-detect 180
[Device] mac-authentication timer quiet 180
# Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in hexadecimal notation with hyphens, and letters are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication on interface Twenty-FiveGigE 1/0/1.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] mac-authentication
[Device-Twenty-FiveGigE1/0/1] quit
# Enable MAC authentication globally.
[Device] mac-authentication
Verifying the configuration
# Display MAC authentication settings and statistics.
<Device> display mac-authentication
Global MAC authentication parameters:
MAC authentication : Enabled
Authentication method : PAP
Username format : MAC address in lowercase(xx-xx-xx-xx-xx-xx)
Username : mac
Password : Not configured
MAC range accounts : 0
MAC address Mask Username
Offline detect period : 180 s
Quiet period : 180 s
Server timeout : 100 s
Reauth period : 3600 s
User aging period for critical VLAN : 1000 s
User aging period for critical VSI : 1000 s
User aging period for guest VLAN : 1000 s
User aging period for guest VSI : 1000 s
User aging period for critical microsegment: 1000 s
Authentication domain : bbb
HTTP proxy port list : Not configured
HTTPS proxy port list : Not configured
Online MAC-auth wired users : 1
Silent MAC users:
MAC address VLAN ID From port Port index
Twenty-FiveGigE1/0/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Disabled
Periodic reauth : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : Not configured
Guest VLAN reauthentication : Enabled
Guest VLAN auth-period : 30 s
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Single VLAN
Offline detection : Enabled
Authentication order : Default
User aging : Enabled
Server-recovery online-user-sync : Disabled
Guest VSI : Not configured
Guest VSI reauthentication : Enabled
Guest VSI auth-period : 30 s
Critical VSI : Not configured
Critical microsegment ID : Not configured
URL user logoff : No
Auto-tag feature : Disabled
VLAN tag configuration ignoring : Disabled
Max online users : 4294967295
Authentication attempts : successful 1, failed 0
Current online users : 1
MAC address Auth state
0800-2700-98d2 Authenticated
Configuration files
#
mac-authentication
mac-authentication timer offline-detect 180
mac-authentication timer quiet 180
mac-authentication domain bbb
mac-authentication user-name-format mac-address with-hyphen lowercase
domain bbb
authentication lan-access local
#
local-user 08-00-27-00-98-d2 class network
password cipher $c$3$rTXB/eL1h+bXc/t2nyQOrhDMC0PWfyiPb93BqMCK+JFYwvn5
service-type lan-access
authorization-attribute user-role network-operator
#
interface Twenty-FiveGigE1/0/1
mac-authentication
#
Example: Configuring MAC authentication with authorization VSI assignment
Network configuration
As shown in Figure 2:
· Configure the device to use the RADIUS servers to perform authentication, authorization, and accounting for the user on the host that is connected to Twenty-FiveGigE 1/0/1.
· Enable MAC authentication on Twenty-FiveGigE 1/0/1 to control Internet access.
· Configure the RADIUS servers to assign VSI bbb to the user when the user passes MAC authentication. After that, the user can access resources in the VXLAN created on the VSI. In this example, the VXLAN is VXLAN 5.
· Authenticate the user in ISP domain 2000.
· Use the MAC address of the host as both the username and password for MAC authentication. The MAC address is in hexadecimal notation with hyphens, and letters are in lower case. In this example, both the username and password are d4-85-64-be-c6-3e.
IMC acts as the RADIUS servers.
Analysis
· For the device to use IMC as the RADIUS servers for user authentication, authorization, and accounting, perform the following tasks on IMC:
a. Add the device to IMC as an access device.
b. Add an access policy.
c. Add an access service and specify the access policy in the access service.
d. Add an access user and specify the access service for the access user.
· For the device to perform RADIUS-based authentication, authorization, and accounting for the MAC authentication access user, configure AAA settings on the device, including ISP domain settings and RADIUS scheme settings.
· To assign a VSI to the user after the user passes authentication and allow the user to access resources in the VXLAN created on the VSI, perform the following tasks:
¡ On IMC, specify the VSI for the user when you add an access policy for the user.
¡ On the device, create the VSI and its VXLAN.
Applicable hardware and software versions
The following matrix shows the hardware and software versions to which this configuration example is applicable:
|
Hardware |
Software version |
|
S6550X-HI switch series |
Release 1213P51 and later |
|
S6880 switch series |
Release 1213P51 and later |
|
S9820-8M switch |
Release 1213P51 and later |
|
S5580X-HI switch series |
Release 1213P50 and later |
|
S5580X-EI switch series |
Release 1213P50 and later |
|
S5580S-EI switch series |
Release 1213P50 and later |
Restrictions and guidelines
· To avoid valid users from being blocked, do not enable MAC authentication globally before you finish all settings.
· When you add an access user on IMC, make sure the user account on IMC matches the MAC authentication user account policy on the device. If MAC-based accounts are used, make sure the username and password of each user account are the same as the MAC address of the corresponding MAC authentication user.
· In standard RADIUS protocol, the authentication port on RADIUS servers is UDP port 1812. If an H3C device is used as a RADIUS server, the authentication port on the RADIUS server is UDP port 1645.
Procedures
If an ADCAM server is used for authentication and authorization, configure VSIs on the server. The server will assign these VSIs to the device. You do not need to configure VSIs on the device.
Configuring the RADIUS server
This example uses IMC PLAT 7.3 (E0506), IMC EIA 7.3 (E0503), and IMC EIP 7.3 (E0503) to describe the procedure.
Adding the device to the IMC Platform as an access device
1. Log in to IMC.
2. Click the User tab.
3. From the navigation pane, select User Access Policy > Access Device Management > Access Device.
4. Click Add.
5. On the page that opens, configure access device parameters.
a. Set the ports for authentication and accounting to 1812 and 1813, respectively.
b. Select H3C (General) from the Access Device Type list.
c. Set the shared key to expert for secure authentication and accounting communication.
d. Select an access device from the device list or manually add an access device. In this example, the IP address of the access device is 10.1.1.2.
e. Use the default values for other parameters.
f. Click OK.
The IP address of the access device specified on IMC must be the same as the source IP address of the RADIUS packets sent from the device. On the device, the source IP address is chosen in the following order:
a. IP address specified by using the nas-ip command.
b. IP address specified by using the radius nas-ip command.
c. IP address of the outbound interface (the default).
In this example, the device uses the IP address of the outbound interface as the source IP address of RADIUS packets.
Figure 3 Adding an access device
Adding an access policy
1. Click the User tab.
2. From the navigation pane, select User Access Policy > Access Policy.
3. Click Add.
4. On the page that opens, configure access policy parameters.
a. Enter access policy name MACauth.
b. Set the name of the VSI to be deployed to bbb.
c. Configure other parameters as needed.
d. Click OK.
Figure 4 Adding an access policy
Adding an access service
1. Click the User tab.
2. From the navigation pane, select User Access Policy > Access Service.
3. Click Add.
4. On the page that opens, configure access service parameters.
a. Enter service name MACauth Service and set the service suffix to 2000. The service suffix is the authentication domain for the MAC authentication user.
|
|
IMPORTANT: With the service suffix configured, you must configure the device to send usernames that include the domain name to the RADIUS servers. |
b. Select MACauth from the Default Access Policy list.
c. Configure other parameters as needed.
d. Click OK.
Figure 5 Adding an access service
Adding an access user
1. Click the User tab.
2. From the navigation pane, select Access User > Access User.
3. Click Add.
4. On the page that opens, configure access user parameters.
a. Select the user or add a user named test.
b. Enter account name d4-85-64-be-c6-3e and password d4-85-64-be-c6-3e.
c. Select MACauth Service in the Access Service area.
d. Configure other parameters as needed.
e. Click OK.
Figure 6 Adding an access user
Configuring the device
# Configure a RADIUS scheme.
|
|
IMPORTANT: With the service suffix configured on IMC, you must configure the device to send usernames that include the domain name to the RADIUS servers. By default, the device includes the domain name in the usernames sent to a RADIUS server. |
<Device> system-view
[Device] radius scheme bbb
[Device-radius-bbb] primary authentication 10.1.1.1
[Device-radius-bbb] primary accounting 10.1.1.2
[Device-radius-bbb] key authentication simple expert
[Device-radius-bbb] key accounting simple expert
[Device-radius-bbb] user-name-format with-domain
[Device-radius-bbb] quit
# Configure ISP domain 2000.
[Device] domain 2000
[Device-isp-2000] authentication lan-access radius-scheme bbb
[Device-isp-2000] authorization lan-access radius-scheme bbb
[Device-isp-2000] accounting lan-access radius-scheme bbb
[Device-isp-2000] quit
# Enable MAC authentication on interface Twenty-FiveGigE 1/0/1.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] mac-authentication
# Enable MAC-based traffic match mode for dynamic Ethernet service instances on interface Twenty-FiveGigE 1/0/1.
[Device-Twenty-FiveGigE1/0/1] mac-based ac
[Device-Twenty-FiveGigE1/0/1] quit
# Enable L2VPN.
[Device] l2vpn enable
# Create a VSI named bbb and the associated VXLAN.
[Device] vsi bbb
[Device-vsi-bbb] vxlan 5
[Device-vsi-bbb-vxlan-5] quit
[Device-vsi-bbb] quit
# Specify ISP domain 2000 as the global MAC authentication domain.
[Device] mac-authentication domain 2000
# Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in hexadecimal notation with hyphens, and letters are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication globally.
[Device] mac-authentication
Verifying the configuration
# Verify that VSI bbb is assigned to the MAC authentication user after the user passes authentication.
[Device] display mac-authentication connection
Total connections: 1
Slot ID: 1
User MAC address: d485-64be-c63e
Access interface: Twenty-FiveGigE1/0/1
Username: d4-85-64-be-c6-3e
User access state: Successful
Authentication domain: 2000
IPv4 address: 192.168.1.1
IPv6 address: 2000:0:0:0:1:2345:6789:abcd
Initial VLAN: 1
Authorization untagged VLAN: N/A
Authorization tagged VLAN: N/A
Authorization VSI: bbb
Authorization microsegment ID: N/A
Authorization ACL ID: N/A
Authorization user profile: N/A
Authorization CAR:
Average input rate: 102400 bps
Peak input rate: 204800 bps
Average output rate: 102400 bps
Peak output rate: 204800 bps
Authorization URL: N/A
Termination action: N/A
Session timeout period: N/A
Offline detection: 100 sec (server-assigned)
Online from: 2016/06/13 09:06:37
Online duration: 0h 0m 35s
# Verify that a dynamic AC is created for MAC address d485-64be-c63e.
[Device] display l2vpn forwarding ac verbose
VSI Name: bbb
Interface: WGE1/0/1 Service Instance: 1
Link ID : 0
Access Mode : VLAN
Encapsulation: untagged
Type : Dynamic (MAC-based)
MAC address : d485-64be-c63e
Configuration files
#
radius scheme bbb
primary authentication 10.1.1.1
primary accounting 10.1.1.2
key authentication cipher $c$3$+zuETC3Y0LHiW3bxzBb+UNEuWlxHkQ==
key accounting cipher $c$3$2b8hx6mbWlnMMQY82TeUzgh0VnWXbg==
user-name-format with-domain
#
domain 2000
authentication lan-access radius-scheme bbb
accounting lan-access radius-scheme bbb
#
interface Twenty-FiveGigE1/0/1
mac-authentication
mac-based ac
#
vsi bbb
vxlan 5
#
l2vpn enable
#
mac-authentication domain 2000
#
mac-authentication user-name-format mac-address with-hyphen lowercase
#
mac-authentication
#
Example: Configuring MAC authentication with ACL assignment
Network configuration
As shown in Figure 7:
· Configure the device to use the RADIUS servers to perform authentication, authorization, and accounting for the user on the host that is connected to Twenty-FiveGigE 1/0/1.
· Enable MAC authentication on Twenty-FiveGigE 1/0/1 to control Internet access.
· Use the MAC address of the host as both the username and password for MAC authentication. The MAC address is in hexadecimal notation with hyphens, and letters are in lower case.
· Use an ACL to deny the user to access the FTP server at 10.0.0.1 after the user passes authentication.
IMC acts as the RADIUS servers.
Analysis
· For the device to use IMC as the RADIUS servers for user authentication, authorization, and accounting, perform the following tasks on IMC:
a. Add the device to IMC as an access device.
b. Add an access policy.
c. Add an access service and specify the access policy in the access service.
d. Add an access user and specify the access service for the access user.
· For the device to perform RADIUS-based authentication, authorization, and accounting for the MAC authentication access user, configure AAA settings on the device, including ISP domain settings and RADIUS scheme settings.
· To use an ACL to restrict the user's network access behaviors after the user passes authentication, perform the following tasks:
¡ On IMC, specify the ACL number for the user when you add an access policy for the user.
¡ On the device, create the ACL and configure its rules.
Applicable hardware and software versions
The following matrix shows the hardware and software versions to which this configuration example is applicable:
|
Hardware |
Software version |
|
S6550X-HI switch series |
Release 1213P51 and later |
|
S6880 switch series |
Release 1213P51 and later |
|
S9820-8M switch |
Release 1213P51 and later |
|
S5580X-HI switch series |
Release 1213P50 and later |
|
S5580X-EI switch series |
Release 1213P50 and later |
|
S5580S-EI switch series |
Release 1213P50 and later |
Restrictions and guidelines
· To avoid valid users from being blocked, do not enable MAC authentication globally before you finish all settings.
· When you add an access user on IMC, make sure the user account on IMC matches the MAC authentication user account policy on the device. If MAC-based accounts are used, make sure the username and password of each user account are the same as the MAC address of the corresponding MAC authentication user.
· In standard RADIUS protocol, the authentication port on RADIUS servers is UDP port 1812. If an H3C device is used as a RADIUS server, the authentication port on the RADIUS server is UDP port 1645.
Procedures
Configuring the RADIUS server
This example uses IMC PLAT 7.3 (E0506), IMC EIA 7.3 (E0503), and IMC EIP 7.3 (E0503) to describe the procedure.
Adding the device to the IMC Platform as an access device
1. Log in to IMC.
2. Click the User tab.
3. From the navigation pane, select User Access Policy > Access Device Management > Access Device.
4. Click Add.
5. On the page that opens, configure access device parameters.
a. Set the ports for authentication and accounting to 1812 and 1813, respectively.
b. Select H3C (General) from the Access Device Type list.
c. Set the shared key to expert for secure authentication and accounting communication.
d. Select an access device from the device list or manually add an access device. In this example, the IP address of the access device is 10.1.1.2.
e. Use the default values for other parameters.
f. Click OK.
The IP address of the access device specified on IMC must be the same as the source IP address of the RADIUS packets sent from the device. On the device, the source IP address is chosen in the following order:
a. IP address specified by using the nas-ip command.
b. IP address specified by using the radius nas-ip command.
c. IP address of the outbound interface (the default).
In this example, the device uses the IP address of the outbound interface as the source IP address of RADIUS packets.
Figure 8 Adding an access device
Adding an access policy
1. Click the User tab.
2. From the navigation pane, select User Access Policy > Access Policy.
3. Click Add.
4. On the page that opens, configure access policy parameters.
a. Enter access policy name MACauth.
b. Select Deploy ACL and manually enter ACL number 3000.
c. Configure other parameters as needed.
d. Click OK.
Figure 9 Adding an access policy
Adding an access service
1. Click the User tab.
2. From the navigation pane, select User Access Policy > Access Service.
3. Click Add.
4. On the page that opens, configure access service parameters.
a. Enter service name MACauth Services and set the service suffix to 2000. The service suffix is the authentication domain for the MAC authentication user.
|
|
IMPORTANT: With the service suffix configured, you must configure the device to send usernames that include the domain name to the RADIUS servers. |
b. Select MACauth from the Default Access Policy list.
c. Configure other parameters as needed.
d. Click OK.
Figure 10 Adding an access service
Adding an access user
1. Click the User tab.
2. From the navigation pane, select Access User > Access User.
3. Click Add.
4. On the page that opens, configure access user parameters.
a. Select the user or add a user named test.
b. Enter account name d4-85-64-be-c6-3e and password d4-85-64-be-c6-3e.
c. Select MACauth Services in the Access Service area.
d. Configure other parameters as needed.
e. Click OK.
Figure 11 Adding an access user
Configuring the device
1. Configure advanced ACL 3000 to deny packets destined for 10.0.0.1.
<Device> system-view
[Device] acl advanced 3000
[Device-acl-ipv4-adv-3000] rule 0 deny ip destination 10.0.0.1 0
[Device-acl-ipv4-adv-3000] quit
2. Configure RADIUS-based MAC authentication:
# Configure a RADIUS scheme.
|
|
IMPORTANT: With the service suffix configured on IMC, you must configure the device to send usernames that include the domain name to the RADIUS servers. By default, the device includes the domain name in the usernames sent to a RADIUS server. |
[Device] radius scheme 2000
[Device-radius-2000] primary authentication 10.1.1.1 1812
[Device-radius-2000] primary accounting 10.1.1.2 1813
[Device-radius-2000] key authentication simple expert
[Device-radius-2000] key accounting simple expert
[Device-radius-2000] user-name-format with-domain
[Device-radius-2000] quit
# Create ISP domain bbb and configure the ISP domain to use RADIUS scheme 2000 for user authentication, authorization, and accounting.
[Device] domain bbb
[Device-isp-bbb] authentication default radius-scheme 2000
[Device-isp-bbb] authorization default radius-scheme 2000
[Device-isp-bbb] accounting default radius-scheme 2000
[Device-isp-bbb] quit
# Specify ISP domain bbb as the global MAC authentication domain.
[Device] mac-authentication domain bbb
# Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in hexadecimal notation with hyphens, and letters are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication on interface Twenty-FiveGigE 1/0/1.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] mac-authentication
[Device-Twenty-FiveGigE1/0/1] quit
# Enable MAC authentication globally.
[Device] mac-authentication
Verifying the configuration
# Display MAC authentication settings and statistics.
<Device> display mac-authentication
Global MAC authentication parameters:
MAC authentication : Enable
Authentication method : PAP
Username format : MAC address in lowercase(xx-xx-xx-xx-xx-xx)
Username : mac
Password : Not configured
Offline detect period : 300 s
Quiet period : 60 s
Server timeout : 100 s
Reauth period : 3600 s
User aging period for critical VLAN : 1000 s
User aging period for critical VSI : 1000 s
User aging period for guest VLAN : 1000 s
User aging period for guest VSI : 1000 s
User aging period for critical microsegment: 1000 s
Authentication domain : bbb
HTTP proxy port list : Not configured
HTTPS proxy port list : Not configured
Online MAC-auth wired users : 1
Silent MAC users:
MAC address VLAN ID From port Port index
Twenty-FiveGigE1/0/1 is link-up
MAC authentication : Enabled
Carry User-IP : Disabled
Authentication domain : Not configured
Auth-delay timer : Disabled
Periodic reauth : Disabled
Re-auth server-unreachable : Logoff
Guest VLAN : Not configured
Guest VLAN reauthentication : Enabled
Guest VLAN auth-period : 30 s
Critical VLAN : Not configured
Critical voice VLAN : Disabled
Host mode : Single VLAN
Offline detection : Enabled
Authentication order : Default
User aging : Enabled
Server-recovery online-user-sync : Enabled
Guest VSI : Not configured
Guest VSI reauthentication : Enabled
Guest VSI auth-period : 30 s
Critical VSI : Not configured
Critical microsegment ID : Not configured
URL user logoff : No
Auto-tag feature : Disabled
VLAN tag configuration ignoring : Disabled
Max online users : 4294967295
Authentication attempts : successful 1, failed 0
Current online users : 1
MAC address Auth state
0800-2712-3456 Authenticated
# Verify that you cannot ping the FTP server from the host.
C:\>ping 10.0.0.1
Pinging 10.0.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.0.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The output shows that ACL 3000 has been assigned to Twenty-FiveGigE 1/0/1 to deny access to the FTP server.
Configuration files
#
acl advanced 3000
rule 0 deny ip destination 10.0.0.1 0
#
radius scheme 2000
primary authentication 10.1.1.1
primary accounting 10.1.1.2
key authentication cipher $c$3$PJM7Px3rbC96Kvh8RyFWHMLatExagQ==
key accounting cipher $c$3$rr7AO7ZuSNZ+b+deWrfb/Qg1JPc97g==
user-name-format with-domain
#
domain bbb
authentication default radius-scheme 2000
authorization default radius-scheme 2000
accounting default radius-scheme 2000
#
mac-authentication domain bbb
#
mac-authentication user-name-format mac-address with-hyphen lowercase
#
interface Twenty-FiveGigE1/0/1
mac-authentication
#
mac-authentication
#
Example: Configuring MAC authentication with voice VLAN assignment
Network configuration
As shown in Figure 12, a company plans to deploy IP phones in the office area and meeting rooms. In order to ensure call quality, voice traffic and data traffic are separated in different VLANs. To prevent unauthorized IP phones from accessing the network, IP phones must pass MAC authentication before they are assigned to voice VLANs.
Configure the device and RADIUS server to meet the following requirements:
· The IP phones in the office area can be automatically assigned to voice VLAN 200.
· The IP phones in the meeting rooms are manually assigned to voice VLAN 400.
· The hosts in the office area use VLAN 100 to transmit data packets.
· The IP phones both in the office area and the meeting rooms must pass MAC authentication before they can be assigned to voice VLANs.
· The hosts connected to the IP phones in the office area must pass 802.1X authentication before they can come online.
Analysis
· To ensure that the voice VLAN feature cannot take effect before the IP phones pass authentication after you specify voice VLANs on the ports connected to the IP phones, you must remove the OUIs matching the IP phones.
· To assign authenticated IP phones to voice VLANs, authorize the voice VLAN proprietary attribute to the IP phones after the IP phones pass authentication.
· To perform 802.1X authentication and MAC authentication for the hosts and IP phones, configure MAC authentication and 802.1X authentication on the ports connected to the IP phones.
Applicable hardware and software versions
The following matrix shows the hardware and software versions to which this configuration example is applicable:
|
Hardware |
Software version |
|
S6550X-HI switch series |
Release 1213P51 and later |
|
S6880 switch series |
Release 1213P51 and later |
|
S9820-8M switch |
Release 1213P51 and later |
|
S5580X-HI switch series |
Release 1213P50 and later |
|
S5580X-EI switch series |
Release 1213P50 and later |
|
S5580S-EI switch series |
Release 1213P50 and later |
Restrictions and guidelines
· You can use the voice-vlan vlan-id enable command to specify a voice VLAN and enable the voice VLAN feature on a port. If an IP phone connected to a port with the voice VLAN feature enabled matches an OUI used for voice packet identification, the device automatically adds the port to the voice VLAN. To not add a port to a voice VLAN before the connected IP phones pass MAC authentication, you must ensure that no OUIs for voice packet identification can match the IP phones before the IP phones pass MAC authentication.
· When LLDP is enabled on a port, you must configure that port to operate in manual voice VLAN assignment mode.
· If the VLAN tag in the packets of IP phones on a port is the same as the voice VLAN configured on that port, you must use the undo voice-vlan security enable command to disable the voice VLAN security mode.
· The device and the RADIUS server must have consistent settings for whether to include the domain name in usernames sent to the RADIUS server.
Procedures
Configuring the device
Configuring voice VLAN settings
# Create VLAN 100, VLAN 200, and VLAN 400.
<Device> system-view
[Device] vlan 100
[Device-vlan100] quit
[Device] vlan 200
[Device-vlan200] quit
[Device] vlan 400
[Device-vlan400] quit
# Configure IP addresses for VLAN interfaces. (Details not shown.)
# Assign Twenty-FiveGigE 1/0/1 to VLAN 100, a data VLAN.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] port link-type hybrid
[Device-Twenty-FiveGigE1/0/1] port hybrid pvid vlan 100
[Device-Twenty-FiveGigE1/0/1] port hybrid vlan 100 untagged
# Configure Twenty-FiveGigE 1/0/1 to operate in automatic voice VLAN assignment mode. By default, a port operates in automatic voice VLAN assignment mode.
[Device-Twenty-FiveGigE1/0/1] voice-vlan mode auto
# Specify voice VLAN 200 and enable the voice VLAN feature on Twenty-FiveGigE 1/0/1.
[Device-Twenty-FiveGigE1/0/1] voice-vlan 200 enable
[Device-Twenty-FiveGigE1/0/1] quit
# Set the link type of Twenty-FiveGigE 1/0/2 to hybrid and assign the port to VLAN 400 as a tagged member.
[Device] interface twenty-fivegige 1/0/2
[Device-Twenty-FiveGigE1/0/2] port link-type hybrid
[Device-Twenty-FiveGigE1/0/2] port hybrid vlan 400 tagged
# Configure Twenty-FiveGigE 1/0/2 to operate in manual voice VLAN assignment mode, and specify voice VLAN 400 and enable the voice VLAN feature on the port.
[Device-Twenty-FiveGigE1/0/2] undo voice-vlan mode auto
[Device-Twenty-FiveGigE1/0/2] voice-vlan 400 enable
# Remove the default OUIs. If an IP phone matches a default OUI, you must remove that default OUI. This step uses the default OUI 000f-e200-0000 as an example to describe the configuration.
[Device] undo voice-vlan mac-address 000f-e200-0000
# Enable the voice VLAN security mode. In this mode, a voice VLAN transmits only voice packets. By default, the voice VLAN security mode is enabled.
[Device] voice-vlan security enable
# Set the voice VLAN aging timer to 30 minutes.
[Device] voice-vlan aging 30
Configuring AAA
1. Configure a RADIUS scheme:
# Create a RADIUS scheme. In the RADIUS scheme, specify the primary authentication and accounting servers and their shared keys, and configure the access device to exclude the domain name from usernames sent to the servers.
[Device] radius scheme radius1
[Device-radius-radius1] primary authentication 192.168.56.10
[Device-radius-radius1] primary accounting 192.168.56.10
[Device-radius-radius1] key authentication simple 123456
[Device-radius-radius1] key accounting simple 123456
[Device-radius-radius1] user-name-format without-domain
[Device-radius-radius1] quit
# Create ISP domain bbb, and configure the ISP domain to use RADIUS scheme radius1 for LAN user authentication, authorization, and accounting.
[Device] domain bbb
[Device-isp-bbb] authentication lan-access radius-scheme radius1
[Device-isp-bbb] authorization lan-access radius-scheme radius1
[Device-isp-bbb] accounting lan-access radius-scheme radius1
[Device-isp-bbb] quit
2. Configure MAC authentication:
# Enable MAC authentication on Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] mac-authentication
[Device-Twenty-FiveGigE1/0/1] quit
[Device] interface twenty-fivegige 1/0/2
[Device-Twenty-FiveGigE1/0/2] mac-authentication
[Device-Twenty-FiveGigE1/0/2] quit
# Specify ISP domain bbb as the global MAC authentication domain.
[Device] mac-authentication domain bbb
# Use the MAC address of each user as both the username and password for MAC authentication. The MAC addresses are in hexadecimal notation with hyphens, and letters are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication globally.
[Device] mac-authentication
3. Configure 802.1X authentication:
# Enable 802.1X on Twenty-FiveGigE 1/0/2.
[Device] interface twenty-fivegige 1/0/2
[Device-Twenty-FiveGigE1/0/2] dot1x
# Specify ISP domain bbb as the mandatory domain for 802.1X authentication on Twenty-FiveGigE 1/0/2.
[Device-Twenty-FiveGigE1/0/2] dot1x mandatory-domain bbb
[Device-Twenty-FiveGigE1/0/2] quit
# Enable 802.1X globally.
[Device] dot1x
Configuring the RADIUS server
In this example, the RADIUS server runs IMC PLAT 7.3 (E0703), IMC EIA 7.3 (E0611), and IMC EIP 7.3 (E0611).
This example only covers the configuration for adding an IP phone user and assigning the voice VLAN proprietary attribute to the IP phone user. You can add other access users and configure settings for assigning the voice VLAN proprietary attribute to the users in the same way the IP phone user is added and the voice VLAN proprietary attribute is assigned to the IP phone user.
Adding the device to the IMC Platform as an access device
1. Log in to IMC.
2. Click the User tab.
3. From the navigation pane, select User Access Policy > Access Device Management > Access Device.
4. Click Add.
5. On the page that opens, configure access device parameters.
a. Set the ports for authentication and accounting to 1812 and 1813, respectively.
b. Select H3C (General) from the Access Device Type list.
c. Set the shared key to 123456 for secure authentication and accounting communication.
d. Select an access device from the device list or manually add an access device. In this example, the IP address of the access device is 192.168.56.20.
e. Use the default values for other parameters.
f. Click OK.
The IP address of the access device specified on IMC must be the same as the source IP address of the RADIUS packets sent from the device. On the device, the source IP address is chosen in the following order:
a. IP address specified by using the nas-ip command.
b. IP address specified by using the radius nas-ip command.
c. IP address of the outbound interface (the default).
In this example, the device uses the IP address of the outbound interface as the source IP address of RADIUS packets.
Figure 13 Adding an access device
Adding a proprietary attribute assignment policy
1. Click the User tab.
2. From the navigation pane, select User Access Policy > Access Device Management > Proprietary Attribute.
3. Click Add.
4. On the page that opens, configure assignment policy parameters.
a. Set the policy name to Voice.
b. In the Attribute List area, click Add.
c. In the dialog box that opens, search for the H3C_AVPair attribute, and then click OK.
d. In the Attribute Value column, select Access-Accept and add the voice VLAN proprietary attribute device-traffic-class=voice.
e. Click OK.
Figure 14 Adding a proprietary attribute assignment policy
Adding an access policy
1. Click the User tab.
2. From the navigation pane, select User Access Policy > Access Policy.
3. Click Add.
4. On the page that opens, configure access policy parameters.
a. Set the access policy name to MACauth.
b. Configure other parameters as needed.
c. Click OK.
Figure 15 Adding an access policy
Adding an access service
1. Click the User tab.
2. From the navigation pane, select User Access Policy > Access Service.
3. Click Add.
4. On the page that opens, configure access service parameters.
a. Enter service name MACauth Service. Do not specify a service suffix, because the access device does not include the domain name in usernames sent to the RADIUS server.
b. Select MACauth from the Default Access Policy list.
c. Select Voice from the Default Proprietary Attribute Assignment Policy list.
d. Configure other parameters as needed.
e. Click OK.
Figure 16 Adding an access service
Adding an access user
1. Click the User tab.
2. From the navigation pane, select Access User > All Access Users.
3. Click Add.
4. On the page that opens, configure access user parameters. For example, configure an access user account for IP Phone B:
a. Select the user or add a user named Phone.
b. Enter account name 72-22-1e-f7-02-02 and password 72-22-1e-f7-02-02.
c. Select MACauth Service in the Access Service area.
d. Configure other parameters as needed.
e. Click OK.
Figure 17 Adding an access user
Verifying the configuration
# Launch the 802.1X client on the host with MAC address 0200-0000-0003, and enter a username and password. Verify that the user can pass 802.1X authentication. (Details not shown.)
# On the device, display online 802.1X user information.
<Device> display dot1x connection
Total connections: 1
Slot ID: 0
User MAC address: 0200-0000-0003
Access interface: Twenty-FiveGigE1/0/1
Username: dot1x
User access state: Successful
Authentication domain: bbb
EAP packet identifier: 2
Authentication method: CHAP
AAA authentication method: RADIUS
Initial VLAN: 100
Authorization untagged VLAN: N/A
Authorization tagged VLAN list: N/A
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Online from: 2022/10/21 14:06:26
Online duration: 0h 0m 1s
# On the device, display information about online MAC authentication users. Verify that the IP phones can come online.
<Device> display mac-authentication connection
Total connections: 2
Slot ID: 0
User MAC address: 7409-0db9-0302
Access interface: Twenty-FiveGigE1/0/1
Username: 74-09-0d-b9-03-02
User access state: Successful
Authentication domain: bbb
Initial VLAN: 100
Authorization untagged VLAN: N/A
Authorization tagged VLAN: 200
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2022/10/21 14:08:24
Online duration: 0h 0m 6s
Port-down keep online: Disabled (offline)
Slot ID: 0
User MAC address: 7222-1ef7-0202
Access interface: Twenty-FiveGigE1/0/2
Username: 72-22-1e-f7-02-02
User access state: Successful
Authentication domain: bbb
Initial VLAN: 1
Authorization untagged VLAN: N/A
Authorization tagged VLAN: 400
Authorization VSI: N/A
Authorization microsegment ID: N/A
Authorization ACL number/name: N/A
Authorization user profile: N/A
Authorization CAR: N/A
Authorization URL: N/A
Authorization IPv6 URL: N/A
Authorization temporary redirect: Disabled
Start accounting: Successful
Real-time accounting-update failures: 0
Termination action: Default
Session timeout period: N/A
Offline detection: 300 sec (command-configured)
Online from: 2022/10/21 14:08:13
Online duration: 0h 0m 17s
Port-down keep online: Disabled (offline)
Configuration files
#
voice-vlan aging 30
undo voice-vlan mac-address 000f-e200-0000
#
dot1x
#
mac-authentication
mac-authentication domain bbb
mac-authentication user-name-format mac-address with-hyphen lowercase
#
vlan 1
#
vlan 100
#
vlan 200
#
vlan 400
#
interface Vlan-interface1
ip address 192.168.56.20 255.255.0.0
#
interface Twenty-FiveGigE1/0/1
port link-mode bridge
port link-type hybrid
port hybrid vlan 1 100 untagged
port hybrid pvid vlan 100
voice-vlan 200 enable
dot1x
dot1x mandatory-domain bbb
mac-authentication
#
interface Twenty-FiveGigE1/0/2
port link-mode bridge
port link-type hybrid
port hybrid vlan 400 tagged
port hybrid vlan 1 untagged
undo voice-vlan mode auto
voice-vlan 400 enable
mac-authentication
#
interface Twenty-FiveGigE1/0/4
port link-mode bridge
#
radius scheme radius1
primary authentication 192.168.56.10
primary accounting 192.168.56.10
key authentication cipher $c$3$WTVJgwaRYO+vetgJGOiOD7gJjVkPZYjPIw==
key accounting cipher $c$3$tb1uodOzhHSFWneLUEJeyj/O1eiOWdcJqg==
user-name-format without-domain
#
domain bbb
authentication lan-access radius-scheme radius1
authorization lan-access radius-scheme radius1
accounting lan-access radius-scheme radius1
#
