[x]

MAC authentication configuration examples > ACL assignment configuration example

 

 Next

ACL assignment configuration example

Network requirements

As shown in Figure 34, a host connects to the device's port Ethernet 1/0/1, and the device uses RADIUS servers to perform authentication, authorization, and accounting.

Perform MAC authentication on port Ethernet 1/0/1 to control Internet access. Make sure that an authenticated user can access the Internet but the FTP server at 10.0.0.1.

Use MAC-based user accounts for MAC authentication users. The MAC addresses are hyphen separated and in lower case.

Figure 34: Network diagram

Configuration procedure

  • Make sure the RADIUS server and the access device can reach each other.

  • Configure the ACL assignment:

    • # Configure ACL 3000 to deny packets destined for 10.0.0.1.

    <Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0
[Sysname-acl-adv-3000] quit

  • Configure RADIUS-based MAC authentication on the device:

    • # Configure a RADIUS scheme.

    [Sysname] radius scheme 2000
[Sysname-radius-2000] primary authentication 10.1.1.1 1812
[Sysname-radius-2000] primary accounting 10.1.1.2 1813
[Sysname-radius-2000] key authentication simple abc
[Sysname-radius-2000] key accounting simple abc
[Sysname-radius-2000] user-name-format without-domain
[Sysname-radius-2000] quit

    # Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting.

    [Sysname] domain 2000
[Sysname-isp-2000] authentication default radius-scheme 2000
[Sysname-isp-2000] authorization default radius-scheme 2000
[Sysname-isp-2000] accounting default radius-scheme 2000
[Sysname-isp-2000] quit

    # Enable MAC authentication globally. 

    [Sysname] mac-authentication

    # Specify the ISP domain for MAC authentication.

    [Sysname] mac-authentication domain 2000

    # Configure the device to use MAC-based user accounts, and the MAC addresses are hyphen separated and in lowercase.

    [Sysname] mac-authentication user-name-format mac-address with-hyphen lowercase

    # Enable MAC authentication for port Ethernet 1/0/1.

    [Sysname] interface ethernet 1/0/1
[Sysname-Ethernet1/0/1] mac-authentication

  • Configure the RADIUS servers:

    • # Add a user account with 00-e0-fc-12-34-56 as both the username and password on the RADIUS server, and specify ACL 3000 as the authorization ACL for the user account. (Details not shown.)

    Verifying the configuration

    After the host passes authentication, perform the display connection command on the device to view online user information.

    [Sysname-Ethernet1/0/1] display connection
Slot:  1
Index=9   , Username=00-e0-fc-12-34-56@2000
 IP=N/A
 IPv6=N/A
 MAC=00e0-fc12-3456
 
 Total 1 connection(s) matched on slot 1.
 Total 1 connection(s) matched.

    Ping the FTP server from the host to verify that the ACL 3000 has been assigned to port Ethernet 1/0/1 to deny access to the FTP server.

    C:\>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.0.0.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    prev

     

    up

     next

    RADIUS-based MAC authentication configuration example 

    home

     Configuring portal authentication

    © Copyright 2016 Hewlett Packard Enterprise Development LP