RADIUS-based MAC authentication configuration example
Network requirements
As shown in Figure 33, a host connects to port Ethernet 1/0/1 on the access device. The device uses RADIUS servers for authentication, authorization, and accounting.
Perform MAC authentication on port Ethernet 1/0/1 to control Internet access. Make sure that:
The device detects whether a user has gone offline every 180 seconds. If a user fails authentication, the device does not authenticate the user within 180 seconds.
All MAC authentication users belong to ISP domain 2000 and share the user account aaa with password 123456.
Figure 33: Network diagram
Configuration procedure
Make sure the RADIUS server and the access device can reach each other.
Create a shared account for MAC authentication users on the RADIUS server, and set the username aaa and password 123456 for the account.
Configure the device:
# Configure a RADIUS scheme.
<Device> system-view [Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication abc [Device-radius-2000] key accounting abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit
# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting.
[Device] domain 2000 [Device-isp-2000] authentication default radius-scheme 2000 [Device-isp-2000] authorization default radius-scheme 2000 [Device-isp-2000] accounting default radius-scheme 2000 [Device-isp-2000] quit
# Enable MAC authentication globally.
[Device] mac-authentication
# Enable MAC authentication on port Ethernet 1/0/1.
[Device] mac-authentication interface ethernet 1/0/1
# Specify the ISP domain for MAC authentication.
[Device] mac-authentication domain 2000
# Set the MAC authentication timers.
[Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180
# Specify username aaa and plaintext password 123456 for the account shared by MAC authentication users.
[Device] mac-authentication user-name-format fixed account aaa password simple 123456
Verifying the configuration
# Display MAC authentication settings and statistics.
<Device> display mac-authentication MAC address authentication is enabled. User name format is fixed account Fixed username:aaa Fixed password: ****** Offline detect period is 180s Quiet period is 180s. Server response timeout value is 100s The max allowed user number is 2048 per slot Current user number amounts to 1 Current domain is 2000 Silent Mac User info: MAC ADDR From Port Port Index Ethernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 1, failed: 0 Max number of on-line users is 2048 Current online user number is 1 MAC ADDR Authenticate state Auth Index 00e0-fc12-3456 MAC_AUTHENTICATOR_SUCCESS 29
# After a user passes MAC authentication, use the display connection command to display online user information.
<Device> display connection Slot: 1 Index=29 ,Username=aaa@2000 IP=N/A IPv6=N/A MAC=00e0-fc12-3456 Total 1 connection(s) matched on slot 1. Total 1 connection(s) matched.