Configuring the macAddressElseUserLoginSecure mode

Network requirements

As shown in Figure 64, a client is connected to the Device through Ethernet 1/0/1. The Device authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.

Restrict port Ethernet 1/0/1 of the Device:

Configuration procedure

Configurations on the host and RADIUS servers are not shown.

  • Configure the RADIUS protocol:

  • Configure the RADIUS authentication/accounting and ISP domain settings the same as in "Configuring the userLoginWithOUI mode."

  • Configure port security:

  • # Enable port security.

    <Device> system-view
    [Device] port-security enable
    

    # Configure the device to use hyphenated, lowercased MAC addresses of users as the usernames and passwords for MAC authentication.

    [Device] mac-authentication user-name-format mac-address with-hyphen lowercase
    [Device] interface ethernet 1/0/1
    

    # Specify ISP domain sun for MAC authentication.

    [Device] mac-authentication domain sun
    [Device] interface ethernet 1/0/1
    

    # Set the 802.1X authentication method to CHAP. (This configuration is optional. By default, the authentication method is CHAP for 802.1X.)

    [Device] dot1x authentication-method chap
    

    # Set port security's limit on the number of MAC addresses to 64 on the port.

    [Device-Ethernet1/0/1] port-security max-mac-count 64
    

    # Set the port security mode to macAddressElseUserLoginSecure.

    [Device-Ethernet1/0/1] port-security port-mode mac-else-userlogin-secure
    

    # Set the NTK mode of the port to ntkonly.

    [Device-Ethernet1/0/1] port-security ntk-mode ntkonly
    

    Verifying the configuration

    # Display the port security configuration.

    <Device> display port-security interface ethernet 1/0/1
     Equipment port-security is enabled
     Trap is disabled
     Disableport Timeout: 20s
     OUI value:
    
     Ethernet1/0/1 is link-up
       Port mode is macAddressElseUserLoginSecure
       NeedToKnow mode is NeedToKnowOnly
       Intrusion Protection mode is NoAction
       Max MAC address number is 64
       Stored MAC address number is 0
       Authorization is permitted
       Security MAC address learning mode is sticky
       Security MAC address aging type is absolute  
    
    

    # Display MAC authentication information.

    <Device> display mac-authentication interface ethernet 1/0/1
    MAC address authentication is enabled.
    User name format is MAC address in lowercase,like xx-xx-xx-xx-xx-xx
     Fixed username: mac
     Fixed password: not configured
              Offline detect period is 60s
              Quiet period is 5s
              Server response timeout value is 100s
              The max allowed user number is 2048 per slot
              Current user number amounts to 3
              Current domain is mac
    
    Silent MAC User info:
              MAC Addr         From Port                    Port Index
    
    Ethernet1/0/1 is link-up
      MAC address authentication is enabled
      Authenticate success: 3, failed: 7
     Max number of on-line users is 2048
      Current online user number is 3
        MAC ADDR         Authenticate state           Auth Index
        1234-0300-0011   MAC_AUTHENTICATOR_SUCCESS     13
        1234-0300-0012   MAC_AUTHENTICATOR_SUCCESS     14
        1234-0300-0013   MAC_AUTHENTICATOR_SUCCESS     15
    
    

    # Display 802.1X authentication information.

    <Device> display dot1x interface ethernet 1/0/1
     Equipment 802.1X protocol is enabled
     CHAP authentication is enabled
     EAD quick deploy is disabled
    
     Configuration: Transmit Period   30 s,  Handshake Period       15 s
                    Quiet Period      60 s,  Quiet Period Timer is disabled
                    Supp Timeout      30 s,  Server Timeout        100 s
                    The maximal retransmitting times    2
     EAD quick deploy configuration:
                    EAD timeout:    30m
    
     Total maximum 802.1X user resource number is 2048 per slot
     Total current used 802.1X resource number is 1
    
    Ethernet1/0/1  is link-up
       802.1X protocol is enabled
       Handshake is enabled
       Handshake secure is disabled
       802.1X unicast-trigger is enabled
       Periodic reauthentication is disabled
       The port is an authenticator
       Authentication Mode is Auto
       Port Control Type is Mac-based
       802.1X Multicast-trigger is enabled
       Mandatory authentication domain: NOT configured
       Guest VLAN: NOT configured
       Auth-Fail VLAN: NOT configured
       Critical VLAN: NOT configured
       Critical recovery-action: NOT configured 
       Max number of on-line users is 2048
    
       EAPOL Packet: Tx 16331, Rx 102
       Sent EAP Request/Identity Packets : 16316
            EAP Request/Challenge Packets: 6
            EAP Success Packets: 4, Fail Packets: 5
       Received EAPOL Start Packets : 6
                EAPOL LogOff Packets: 2
                EAP Response/Identity Packets : 80
                EAP Response/Challenge Packets: 6
                Error Packets: 0
     1. Authenticated user : MAC address: 0002-0000-0011
    
       Controlled User(s) amount to 1
    

    As NTK is enabled, frames with unknown destination MAC addresses, multicast addresses, and broadcast addresses will be discarded.