RADIUS-based MAC authentication configuration example

Network requirements

As shown in Figure 34, a host connects to port GigabitEthernet 1/0/1 on the access device. The device uses RADIUS servers for authentication, authorization, and accounting.

Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Make sure:

Figure 34: Network diagram

Configuration procedure

  • Make sure the RADIUS server and the access device can reach each other. (Details not shown.)

  • Configure the RADIUS server:

  • # Create a shared account for MAC authentication users. (Details not shown.)

    # Set the username aaa and password 123456 for the account. (Details not shown.)

  • Configure the device:

  • # Configure a RADIUS scheme.

    <Device> system-view
    [Device] radius scheme 2000
    [Device-radius-2000] primary authentication 10.1.1.1 1812
    [Device-radius-2000] primary accounting 10.1.1.2 1813
    [Device-radius-2000] key authentication abc
    [Device-radius-2000] key accounting abc
    [Device-radius-2000] user-name-format without-domain
    [Device-radius-2000] quit
    

    # Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting.

    [Device] domain 2000
    [Device-isp-2000] authentication default radius-scheme 2000
    [Device-isp-2000] authorization default radius-scheme 2000
    [Device-isp-2000] accounting default radius-scheme 2000
    [Device-isp-2000] quit
    

    # Enable MAC authentication globally.

    [Device] mac-authentication
    

    # Enable MAC authentication on port GigabitEthernet 1/0/1.

    [Device] mac-authentication interface gigabitethernet 1/0/1
    

    # Specify the ISP domain for MAC authentication.

    [Device] mac-authentication domain 2000
    

    # Set the MAC authentication timers.

    [Device] mac-authentication timer offline-detect 180
    [Device] mac-authentication timer quiet 180
    

    # Specify username aaa and password 123456 in plain text for the account shared by MAC authentication users.

    [Device] mac-authentication user-name-format fixed account aaa password simple 123456
    

    Verifying the configuration

    # Display MAC authentication settings and statistics.

    <Device> display mac-authentication
    MAC address authentication is enabled.
    User name format is fixed account
     Fixed username:aaa
     Fixed password:******
              Offline detect period is 180s
              Quiet period is 180s.
              Server response timeout value is 100s
              The max allowed user number is 2048 per slot
              Current user number amounts to 1
              Current domain is 2000
    Silent Mac User info:
             MAC ADDR               From Port           Port Index
    Gigabitethernet1/0/1 is link-up
      MAC address authentication is enabled
      Authenticate success: 1, failed: 0
     Max number of on-line users is 2048
      Current online user number is 1
        MAC ADDR         Authenticate state           Auth Index
        00e0-fc12-3456   MAC_AUTHENTICATOR_SUCCESS     29
    

    # After a user passes MAC authentication, use the display connection command to display online user information.

    <Device> display connection
    Slot:  1
    Index=29  ,Username=aaa@2000
     IP=N/A
     IPv6=N/A
     MAC=00e0-fc12-3456
    
     Total 1 connection(s) matched on slot 1.
     Total 1 connection(s) matched..