Configuring the macAddressElseUserLoginSecure mode

Network requirements

As shown in Figure 71, a client is connected to the device through GigabitEthernet 1/0/1. The device authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.

Restrict port GigabitEthernet 1/0/1 of the device as follows:

Configuration procedure

Configuration procedures for the host and RADIUS servers are not shown.

Configuration on the device:

  • Configure the RADIUS protocol:

  • Configure the RADIUS authentication/accounting and ISP domain settings the same as in Configuring the userLoginWithOUI mode.

  • Configure port security:

  • # Enable port security.

    <Device> system-view
    [Device] port-security enable
    

    # Configure a MAC authentication user, setting the username and password to aaa and 123456.

    [Device] mac-authentication user-name-format fixed account aaa password simple 123456
    [Device] interface gigabitethernet 1/0/1
    

    # Specify ISP domain sun for MAC authentication.

    [Device] mac-authentication domain sun
    [Device] interface gigabitethernet 1/0/1
    

    # Set the 802.1X authentication method to CHAP. (This configuration is optional. By default, the authentication method is CHAP for 802.1X.)

    [Device] dot1x authentication-method chap
    

    # Set port security's limit on the number of MAC addresses to 64 on the port.

    [Device-GigabitEthernet1/0/1] port-security max-mac-count 64
    

    # Set the port security mode to macAddressElseUserLoginSecure.

    [Device-GigabitEthernet1/0/1] port-security port-mode mac-else-userlogin-secure
    

    # Set the NTK mode of the port to ntkonly.

    [Device-GigabitEthernet1/0/1] port-security ntk-mode ntkonly
    

    Verifying the configuration

    # Display the port security configuration.

    <Device> display port-security interface gigabitethernet 1/0/1
     Equipment port-security is enabled
     Trap is disabled
     Disableport Timeout: 20s
     OUI value:
    
     GigabitEthernet1/0/1 is link-up
       Port mode is macAddressElseUserLoginSecure
       NeedToKnow mode is NeedToKnowOnly
       Intrusion Protection mode is NoAction
       Max MAC address number is 64
       Stored MAC address number is 0
       Authorization is permitted
       Security MAC address learning mode is sticky
       Security MAC address aging type is absolute  
    
    

    # Display MAC authentication information.

    <Device> display mac-authentication interface gigabitethernet 1/0/1
    MAC address authentication is enabled.
     User name format is fixed account
     Fixed username:aaa
     Fixed password: ******
              Offline detect period is 60s
              Quiet period is 5s
              Server response timeout value is 100s
              The max allowed user number is 2048 per slot
              Current user number amounts to 3
              Current domain is mac
    
    Silent MAC User info:
              MAC Addr         From Port                    Port Index
    
    GigabitEthernet1/0/1 is link-up
      MAC address authentication is enabled
      Authenticate success: 3, failed: 7
     Max number of on-line users is 2048
      Current online user number is 3
        MAC ADDR         Authenticate state           Auth Index
        1234-0300-0011   MAC_AUTHENTICATOR_SUCCESS     13
        1234-0300-0012   MAC_AUTHENTICATOR_SUCCESS     14
        1234-0300-0013   MAC_AUTHENTICATOR_SUCCESS     15
    
    

    # Display 802.1X authentication information.

    <Device> display dot1x interface gigabitethernet 1/0/1
     Equipment 802.1X protocol is enabled
     CHAP authentication is enabled
    EAD quick deploy is disabled
    
     Configuration: Transmit Period   30 s,  Handshake Period       15 s
                    Quiet Period      60 s,  Quiet Period Timer is disabled
                    Supp Timeout      30 s,  Server Timeout        100 s
                    The maximal retransmitting times    2
     EAD quick deploy configuration:
                    EAD timeout:    30m
    
     Total maximum 802.1X user resource number is 2048 per slot
     Total current used 802.1X resource number is 1
    
    GigabitEthernet1/0/1  is link-up
       802.1X protocol is enabled
       Handshake is enabled
       Handshake secure is disabled
       802.1X unicast-trigger is enabled
       Periodic reauthentication is disabled
       The port is an authenticator
       Authentication Mode is Auto
       Port Control Type is Mac-based
       802.1X Multicast-trigger is enabled
       Mandatory authentication domain: NOT configured
       Guest VLAN: NOT configured
       Auth-Fail VLAN: NOT configured
       Critical VLAN: NOT configured
       Critical recovery-action: NOT configured 
       Max number of on-line users is 2048
    
       EAPOL Packet: Tx 16331, Rx 102
       Sent EAP Request/Identity Packets : 16316
            EAP Request/Challenge Packets: 6
            EAP Success Packets: 4, Fail Packets: 5
       Received EAPOL Start Packets : 6
                EAPOL LogOff Packets: 2
                EAP Response/Identity Packets : 80
                EAP Response/Challenge Packets: 6
                Error Packets: 0
     1. Authenticated user : MAC address: 0002-0000-0011
    
       Controlled User(s) amount to 1
    

    As NTK is enabled, frames with an unknown destination MAC address, multicast address, or broadcast address will be discarded.