Configuring the userLoginWithOUI mode
Network requirements
As shown in Figure 64, a client is connected to the Device through port Ethernet 1/0/1. The Device authenticates the client with a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
The RADIUS server at 192.168.1.2 functions as the primary authentication server and the secondary accounting server, and the RADIUS server at 192.168.1.3 functions as the secondary authentication server and the primary accounting server. The shared key for authentication is name, and that for accounting is money.
All users use the default authentication, authorization, and accounting methods of ISP domain sun, which can accommodate up to 30 users.
The RADIUS server response timeout time is five seconds and the maximum number of RADIUS packet retransmission attempts is five. The Device sends real-time accounting packets to the RADIUS server at an interval of 15 minutes, and sends usernames without domain names to the RADIUS server.
Configure port Ethernet 1/0/1 of the Device to:
Allow only one 802.1X user to be authenticated.
Allow up to 16 OUI values to be configured and allow one terminal that uses any of the OUI values to access the port in addition to an 802.1X user.
Figure 64: Network diagram
Configuration procedure
Configurations on the host and RADIUS servers are not shown. The following configuration steps cover some AAA/RADIUS configuration commands. For more information about the commands, see Security Command Referenced.
Configure the RADIUS protocol:
# Configure a RADIUS scheme named radsun.
<Device> system-view [Device] radius scheme radsun [Device-radius-radsun] primary authentication 192.168.1.2 [Device-radius-radsun] primary accounting 192.168.1.3 [Device-radius-radsun] secondary authentication 192.168.1.3 [Device-radius-radsun] secondary accounting 192.168.1.2 [Device-radius-radsun] key authentication name [Device-radius-radsun] key accounting money [Device-radius-radsun] timer response-timeout 5 [Device-radius-radsun] retry 5 [Device-radius-radsun] timer realtime-accounting 15 [Device-radius-radsun] user-name-format without-domain [Device-radius-radsun] quit
# Configure ISP domain sun to use RADIUS scheme radsun for authentication, authorization, and accounting of all types of users. Specify that the ISP domain can contain up to 30 users.
[Device] domain sun [Device-isp-sun] authentication default radius-scheme radsun [Device-isp-sun] authorization default radius-scheme radsun [Device-isp-sun] accounting default radius-scheme radsun [Device-isp-sun] access-limit enable 30 [Device-isp-sun] quit
Configure 802.1X:
# Set the 802.1X authentication method to CHAP. (This configuration is optional. By default, the authentication method is CHAP for 802.1X.)
[Device] dot1x authentication-method chap
Configure port security:
# Enable port security.
[Device] port-security enable
# Add five OUI values.
[Device] port-security oui 1234-0100-1111 index 1 [Device] port-security oui 1234-0200-1111 index 2 [Device] port-security oui 1234-0300-1111 index 3 [Device] port-security oui 1234-0400-1111 index 4 [Device] port-security oui 1234-0500-1111 index 5 [Device] interface ethernet 1/0/1
# Set the port security mode to userLoginWithOUI.
[Device-Ethernet1/0/1] port-security port-mode userlogin-withoui
Verifying the configuration
# Display the RADIUS scheme radsun.
<Device> display radius scheme radsun SchemeName : radsun Index : 1 Type : standard Primary Auth Server: IP: 192.168.1.2 Port: 1812 State: active Encryption Key : N/A VPN instance : N/A Probe username : N/A Probe interval : N/A Primary Acct Server: IP: 192.168.1.3 Port: 1813 State: active Encryption Key : N/A VPN instance : N/A Second Auth Server: IP: 192.168.1.3 Port: 1812 State: active Encryption Key : N/A VPN instance : N/A Probe username : N/A Probe interval : N/A Second Acct Server: IP: 192.168.1.2 Port: 1813 State: active Encryption Key : N/A VPN instance : N/A Auth Server Encryption Key : ****** Acct Server Encryption Key : ****** Accounting-On packet disable, send times : 5 , interval : 3s Interval for timeout(second) : 5 Retransmission times for timeout : 5 Interval for realtime accounting(minute) : 15 Retransmission times of realtime-accounting packet : 5 Retransmission times of stop-accounting packet : 500 Quiet-interval(min) : 5 Username format : without-domain Data flow unit : Byte Packet unit : one
# Display the configuration of the ISP domain sun.
<Device> display domain sun Domain : sun State : Active Access-limit : 30 Accounting method : Required Default authentication scheme : radius:radsun Default authorization scheme : radius:radsun Default accounting scheme : radius:radsun Domain User Template: Idle-cut : Disabled Self-service : Disabled Authorization attributes:
# Display the port security configuration.
<Device> display port-security interface ethernet 1/0/1 Equipment port-security is enabled Trap is disabled Disableport Timeout: 20s OUI value: Index is 1, OUI value is 123401 Index is 2, OUI value is 123402 Index is 3, OUI value is 123403 Index is 4, OUI value is 123404 Index is 5, OUI value is 123405 Ethernet1/0/1 is link-up Port mode is userLoginWithOUI NeedToKnow mode is disabled Intrusion Protection mode is NoAction Max MAC address number is not configured Stored MAC address number is 0 Authorization is permitted Security MAC address learning mode is sticky Security MAC address aging type is absolute
After an 802.1X user gets online, you can see that the number of secure MAC addresses stored is 1.
# Display 802.1X information.
<Device> display dot1x interface ethernet 1/0/1 Equipment 802.1X protocol is enabled CHAP authentication is enabled EAD quick deploy is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s Reauth Period 3600 s The maximal retransmitting times 2 EAD quick deploy configuration: EAD timeout: 30m The maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 Ethernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled Handshake secure is disabled 802.1X unicast-trigger is enabled Periodic reauthentication is disabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac-based 802.1X Multicast-trigger is enabled Mandatory authentication domain: NOT configured Guest VLAN: NOT configured Auth-Fail VLAN: NOT configured Critical VLAN: NOT configured Critical recovery-action: NOT configured Max number of on-line users is 2048 EAPOL Packet: Tx 16331, Rx 102 Sent EAP Request/Identity Packets : 16316 EAP Request/Challenge Packets: 6 EAP Success Packets: 4, Fail Packets: 5 Received EAPOL Start Packets : 6 EAPOL LogOff Packets: 2 EAP Response/Identity Packets : 80 EAP Response/Challenge Packets: 6 Error Packets: 0 1. Authenticated user : MAC address: 0002-0000-0011 Controlled User(s) amount to 1
In addition, the port allows an additional user whose MAC address has an OUI among the specified OUIs to access the port.
# Display MAC address information for interface Ethernet 1/0/1.
<Device> display mac-address interface ethernet 1/0/1 MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 1234-0300-0011 1 Learned Ethernet1/0/1 AGING --- 1 mac address(es) found ---