Configuring the userLoginWithOUI mode

Network requirements

As shown in Figure 64, a client is connected to the Device through port Ethernet 1/0/1. The Device authenticates the client with a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.

Configure port Ethernet 1/0/1 of the Device to:

Figure 64: Network diagram

Configuration procedure

Configurations on the host and RADIUS servers are not shown. The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Referenced.

  • Configure the RADIUS protocol:

  • # Configure a RADIUS scheme named radsun.

    <Device> system-view
    [Device] radius scheme radsun
    [Device-radius-radsun] primary authentication 192.168.1.2
    [Device-radius-radsun] primary accounting 192.168.1.3
    [Device-radius-radsun] secondary authentication 192.168.1.3
    [Device-radius-radsun] secondary accounting 192.168.1.2
    [Device-radius-radsun] key authentication name
    [Device-radius-radsun] key accounting money
    [Device-radius-radsun] timer response-timeout 5
    [Device-radius-radsun] retry 5
    [Device-radius-radsun] timer realtime-accounting 15
    [Device-radius-radsun] user-name-format without-domain
    [Device-radius-radsun] quit
    

    # Configure ISP domain sun to use RADIUS scheme radsun for authentication, authorization, and accounting of all types of users. Specify that the ISP domain can contain up to 30 users.

    [Device] domain sun
    [Device-isp-sun] authentication default radius-scheme radsun
    [Device-isp-sun] authorization default radius-scheme radsun
    [Device-isp-sun] accounting default radius-scheme radsun
    [Device-isp-sun] access-limit enable 30
    [Device-isp-sun] quit 
    
  • Configure 802.1X:

  • # Set the 802.1X authentication method to CHAP. (This configuration is optional. By default, the authentication method is CHAP for 802.1X.)

    [Device] dot1x authentication-method chap
    
  • Configure port security:

  • # Enable port security.

    [Device] port-security enable
    

    # Add five OUI values.

    [Device] port-security oui 1234-0100-1111 index 1
    [Device] port-security oui 1234-0200-1111 index 2
    [Device] port-security oui 1234-0300-1111 index 3
    [Device] port-security oui 1234-0400-1111 index 4
    [Device] port-security oui 1234-0500-1111 index 5
    [Device] interface ethernet 1/0/1
    

    # Set the port security mode to userLoginWithOUI.

    [Device-Ethernet1/0/1] port-security port-mode userlogin-withoui
    

    Verifying the configuration

    # Display the RADIUS scheme radsun.

    <Device> display radius scheme radsun
    SchemeName  : radsun
      Index : 1                            Type : standard
      Primary Auth Server:
        IP: 192.168.1.2                              Port: 1812   State: active
        Encryption Key : N/A
        VPN instance   : N/A
        Probe username : N/A
        Probe interval : N/A
      Primary Acct Server:
        IP: 192.168.1.3                              Port: 1813   State: active
        Encryption Key : N/A
        VPN instance   : N/A 
      Second Auth Server:
        IP: 192.168.1.3                              Port: 1812   State: active
        Encryption Key : N/A
        VPN instance   : N/A 
        Probe username : N/A
        Probe interval : N/A
      Second Acct Server:
        IP: 192.168.1.2                              Port: 1813   State: active
        Encryption Key : N/A
        VPN instance   : N/A 
      Auth Server Encryption Key : ******
      Acct Server Encryption Key : ******
      Accounting-On packet disable, send times : 5 , interval : 3s
      Interval for timeout(second)                            : 5
      Retransmission times for timeout                        : 5
      Interval for realtime accounting(minute)                : 15
      Retransmission times of realtime-accounting packet      : 5
      Retransmission times of stop-accounting packet          : 500
      Quiet-interval(min)                                     : 5
      Username format                                         : without-domain
      Data flow unit                                          : Byte
      Packet unit                                             : one
    

    # Display the configuration of the ISP domain sun.

    <Device> display domain sun
       Domain : sun
       State : Active
       Access-limit : 30
       Accounting method : Required
       Default authentication scheme      : radius:radsun
       Default authorization scheme       : radius:radsun
       Default accounting scheme          : radius:radsun
       Domain User Template:
       Idle-cut : Disabled
       Self-service : Disabled
       Authorization attributes:
    

    # Display the port security configuration.

    <Device> display port-security interface ethernet 1/0/1
     Equipment port-security is enabled
     Trap is disabled
     Disableport Timeout: 20s
     OUI value:
       Index is 1,  OUI value is 123401
       Index is 2,  OUI value is 123402
       Index is 3,  OUI value is 123403
       Index is 4,  OUI value is 123404
       Index is 5,  OUI value is 123405
    
     Ethernet1/0/1 is link-up
       Port mode is userLoginWithOUI
       NeedToKnow mode is disabled
       Intrusion Protection mode is NoAction
       Max MAC address number is not configured
       Stored MAC address number is 0
       Authorization is permitted
       Security MAC address learning mode is sticky
       Security MAC address aging type is absolute  
    

    After an 802.1X user gets online, you can see that the number of secure MAC addresses stored is 1.

    # Display 802.1X information.

    <Device> display dot1x interface ethernet 1/0/1
     Equipment 802.1X protocol is enabled
     CHAP authentication is enabled
     EAD quick deploy is disabled
    
      Configuration: Transmit Period   30 s,  Handshake Period       15 s
                      Quiet Period      60 s,  Quiet Period Timer is disabled
                      Supp Timeout      30 s,  Server Timeout        100 s
                      Reauth Period   3600 s
                      The maximal retransmitting times    2
      EAD quick deploy configuration:
                    EAD timeout:    30m
    
     The maximum 802.1X user resource number is 2048 per slot
     Total current used 802.1X resource number is 1
    
     Ethernet1/0/1  is link-up
       802.1X protocol is enabled
       Handshake is enabled
       Handshake secure is disabled
       802.1X unicast-trigger is enabled
       Periodic reauthentication is disabled
       The port is an authenticator
       Authentication Mode is Auto
       Port Control Type is Mac-based
       802.1X Multicast-trigger is enabled
       Mandatory authentication domain: NOT configured
       Guest VLAN: NOT configured
       Auth-Fail VLAN: NOT configured
       Critical VLAN: NOT configured
       Critical recovery-action: NOT configured  
       Max number of on-line users is 2048
    
       EAPOL Packet: Tx 16331, Rx 102
       Sent EAP Request/Identity Packets : 16316
            EAP Request/Challenge Packets: 6
            EAP Success Packets: 4, Fail Packets: 5
       Received EAPOL Start Packets : 6
                EAPOL LogOff Packets: 2
                EAP Response/Identity Packets : 80
                EAP Response/Challenge Packets: 6
                Error Packets: 0
     1. Authenticated user : MAC address: 0002-0000-0011
    
       Controlled User(s) amount to 1
    

    In addition, the port allows an additional user whose MAC address has an OUI among the specified OUIs to access the port.

    # Display MAC address information for interface Ethernet 1/0/1.

    <Device> display mac-address interface ethernet 1/0/1
    MAC ADDR        VLAN ID   STATE          PORT INDEX          AGING TIME(s)
    1234-0300-0011  1         Learned        Ethernet1/0/1       AGING
    
      ---  1 mac address(es) found  ---