RADIUS-based MAC authentication configuration example
Network requirements
As shown in Figure 39, configure the AP to use the RADIUS server to perform MAC authentication for the client.
Figure 40: Network diagram
Configuration procedure
Make sure the RADIUS server, switch, AP, and client can reach each other. (Details not shown.)
Configure the AP:
Configure the RADIUS scheme:
# Create a RADIUS scheme.
<AP> system-view [AP] radius scheme imcc
# Specify the primary authentication server and the primary accounting server.
[AP-radius-imcc] primary authentication 10.18.1.88 1812 [AP-radius-imcc] primary accounting 10.18.1.88 1813
# Set the authentication and accounting shared keys to 12345678 in plain text for secure RADIUS communication with the server.
[AP-radius-imcc] key authentication simple 12345678 [AP-radius-imcc] key accounting simple 12345678
# Exclude domain names from the usernames sent to the RADIUS server.
[AP-radius-imcc] user-name-format without-domain [AP-radius-imcc] quit
Configure AAA methods for the ISP domain:
# Create an ISP domain named imc.
[AP] domain imc
# Configure the ISP domain to use the RADIUS scheme imcc for authentication, authorization, and accounting of LAN clients.
[AP-isp-imc] authentication lan-access radius-scheme imcc [AP-isp-imc] authorization lan-access radius-scheme imcc [AP-isp-imc] accounting lan-access radius-scheme imcc [AP-isp-imc] quit
Specify username 123 and password aaa_maca in plain text for the account shared by MAC authentication clients.
[AP] mac-authentication user-name-format fixed account 123 password simple aaa_maca
Configure a service template:
# Create a service template named maca_imc.
[AP] wlan service-template maca_imc
# Set the SSID to maca_imc.
[AP-wlan-st-maca_imc] ssid maca_imc
# Set the authentication mode to MAC authentication.
[AP-wlan-st-maca_imc] client-security authentication-mode mac
# Specify ISP domain imc for the service template.
[AP-wlan-st-maca_imc] mac-authentication domain imc
# Enable the service template.
[AP-wlan-st-maca_imc] service-template enable [AP-wlan-st-maca_imc] quit
Bind the service template to an AP radio.
[AP] interface wlan-radio 0/1 [AP-WLAN-Radio0/1] undo shutdown [AP-WLAN-Radio0/1] service template wlas_local_chap [AP-WLAN-Radio0/1] quit
Configure the RADIUS server:
In this example, the RADIUS server runs IMC PLAT 7.1 and IMC UAM 7.1.
# Add an access device:
Click the User tab.
From the navigation tree, select User Access Policy > Access Device Management > Access Device.
Click Add.
In the Access Configuration area, configure the following parameters, as shown in Figure 40:
Enter 12345678 in the Shared Key and Confirm Shared Key fields.
Use the default values for other parameters.
In the Device List area, click Select or Add Manually to add the device at 10.18.1.1 as an access device.
Click OK.
Figure 41: Adding an access device
# Add an access policy:
Click the User tab.
From the navigation tree, select User Access Policy > Access Policy.
Click Add.
On the Add Access Policy page, configure the following parameters, as shown in Figure 41:
Enter aaa_maca in the Access Policy Name field.
Use the default values for other parameters.
Click OK.
Figure 42: Adding an access policy
# Add an access service:
Click the User tab.
From the navigation tree, select User Access Policy > Access Service.
Click Add.
On the Add Access Service page, configure the following parameters, as shown in Figure 42:
Enter aaa_maca in the Service Name field.
Select aaa_maca from the Default Access Policy list.
Click OK.
Figure 43: Adding an access service
# Add an access user:
Click the User tab.
From the navigation tree, select Access User > All Access Users.
Click Add.
In the Access Information area, configure the following parameters, as shown in Figure 43:
Click Select or Add User to associate the user with IMC Platform user 123.
Enter 123 in the Account Name field.
Enter aaa_maca in the Password and Confirm Password fields.
In the Access Service area, select aaa_maca from the list.
Click OK.
Figure 44: Adding an access user account
Verifying the configuration
On the client, verify that you can use username 123 and password aaa_maca to access the network. (Details not shown.)
On the AP, perform the following tasks to verify that the user has passed authentication and come online:
# Display online MAC authentication client information.
[AP] display mac-authentication connection User MAC address : 0023-8933-2098 AP name : ap1 Radio ID : 1 SSID : maca_imc BSSID : 000f-e201-0001 User name : 123 Authentication domain : imc Initial VLAN : 1 Authorization VLAN : N/A Authorization ACL number : N/A Authorization user profile : N/A Termination action : Default Session timeout period : 6001 s Online from : 2014/04/17 17:21:12 Online duration : 0h 0m 30s Total connections: 1.
# Display WLAN client information.
[AP] display wlan client Total number of clients : 1 MAC address Username APID/RID IP address IPv6 address VLAN 0023-8933-2098 123 1/1 10.18.1.100 1