[x]

MAC authentication configuration examples > ACL assignment configuration example

 

 Next

ACL assignment configuration example

Network requirements

As shown in Figure 35, a host connects to the device's port GigabitEthernet 1/0/1, and the device uses RADIUS servers to perform authentication, authorization, and accounting.

Perform MAC authentication on port GigabitEthernet 1/0/1 to control Internet access. Make sure an authenticated user can access the Internet but the FTP server at 10.0.0.1.

Use MAC-based user accounts for MAC authentication users. The MAC addresses are separated by hyphens and in lower case.

Figure 35: Network diagram

Configuration procedure

  • Make sure the RADIUS server and the access device can reach each other. (Details not shown.)

  • Configure ACL 3000 to deny packets destined for 10.0.0.1.

    • <Sysname> system-view
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 deny ip destination 10.0.0.1 0
[Sysname-acl-adv-3000] quit

  • Configure RADIUS-based MAC authentication on the device:

    • # Configure a RADIUS scheme.

    [Sysname] radius scheme 2000
[Sysname-radius-2000] primary authentication 10.1.1.1 1812
[Sysname-radius-2000] primary accounting 10.1.1.2 1813
[Sysname-radius-2000] key authentication simple abc
[Sysname-radius-2000] key accounting simple abc
[Sysname-radius-2000] user-name-format without-domain
[Sysname-radius-2000] quit

    # Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting.

    [Sysname] domain 2000
[Sysname-isp-2000] authentication default radius-scheme 2000
[Sysname-isp-2000] authorization default radius-scheme 2000
[Sysname-isp-2000] accounting default radius-scheme 2000
[Sysname-isp-2000] quit

    # Enable MAC authentication globally. 

    [Sysname] mac-authentication

    # Specify the ISP domain for MAC authentication.

    [Sysname] mac-authentication domain 2000

    # Configure the device to use MAC-based user accounts. The MAC addresses are separated by hyphens and in lower case.

    [Sysname] mac-authentication user-name-format mac-address with-hyphen lowercase

    # Enable MAC authentication for port GigabitEthernet 1/0/1.

    [Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] mac-authentication

  • Configure the RADIUS servers:

    • # Add a user account with 00-e0-fc-12-34-56 as both the username and password. (Details not shown.)

    # Specify ACL 3000 as the authorization ACL for the user account. (Details not shown.)

    Verifying the configuration

    # After the host passes authentication, use the display connection command on the device to display online user information.

    [Sysname-GigabitEthernet1/0/1] display connection
Slot:  1
Index=29  ,Username=aaa@2000
 IP=N/A
 IPv6=N/A
 MAC=00e0-fc12-3456

 Total 1 connection(s) matched on slot 1.
 Total 1 connection(s) matched.

    # Ping the FTP server from the host. The output shows that the ACL 3000 has been assigned to port GigabitEthernet 1/0/1 to deny access to the FTP server.

    C:\>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.0.0.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    prev

     

    up

     next

    RADIUS-based MAC authentication configuration example 

    home

     Configuring portal authentication

    © Copyright 2016 Hewlett Packard Enterprise Development LP