Configuring the macAddressElseUserLoginSecure mode
Network requirements
As shown in Figure 71, a client is connected to the device through GigabitEthernet 1/0/1. The device authenticates the client by a RADIUS server. If the authentication succeeds, the client is authorized to access the Internet.
Restrict port GigabitEthernet 1/0/1 of the device as follows:
Allow more than one MAC authenticated user to log on.
For 802.1X users, perform MAC authentication first. Then, if MAC authentication fails, perform 802.1X authentication. Allow only one 802.1X user to log on.
Set fixed username and password for MAC authentication.
Set the total number of MAC authenticated users and 802.1X authenticated users to 64.
Enable NTK to prevent frames from being sent to unknown MAC addresses.
Configuration procedure
Configuration procedures for the host and RADIUS servers are not shown.
Configuration on the device:
Configure the RADIUS protocol:
Configure the RADIUS authentication/accounting and ISP domain settings the same as in Configuring the userLoginWithOUI mode.
Configure port security:
# Enable port security.
<Device> system-view [Device] port-security enable
# Configure a MAC authentication user, setting the username and password to aaa and 123456.
[Device] mac-authentication user-name-format fixed account aaa password simple 123456 [Device] interface gigabitethernet 1/0/1
# Specify ISP domain sun for MAC authentication.
[Device] mac-authentication domain sun [Device] interface gigabitethernet 1/0/1
# Set the 802.1X authentication method to CHAP. (This configuration is optional. By default, the authentication method is CHAP for 802.1X.)
[Device] dot1x authentication-method chap
# Set port security's limit on the number of MAC addresses to 64 on the port.
[Device-GigabitEthernet1/0/1] port-security max-mac-count 64
# Set the port security mode to macAddressElseUserLoginSecure.
[Device-GigabitEthernet1/0/1] port-security port-mode mac-else-userlogin-secure
# Set the NTK mode of the port to ntkonly.
[Device-GigabitEthernet1/0/1] port-security ntk-mode ntkonly
Verifying the configuration
# Display the port security configuration.
<Device> display port-security interface gigabitethernet 1/0/1 Equipment port-security is enabled Trap is disabled Disableport Timeout: 20s OUI value: GigabitEthernet1/0/1 is link-up Port mode is macAddressElseUserLoginSecure NeedToKnow mode is NeedToKnowOnly Intrusion Protection mode is NoAction Max MAC address number is 64 Stored MAC address number is 0 Authorization is permitted Security MAC address learning mode is sticky Security MAC address aging type is absolute
# Display MAC authentication information.
<Device> display mac-authentication interface gigabitethernet 1/0/1 MAC address authentication is enabled. User name format is fixed account Fixed username:aaa Fixed password: ****** Offline detect period is 60s Quiet period is 5s Server response timeout value is 100s The max allowed user number is 2048 per slot Current user number amounts to 3 Current domain is mac Silent MAC User info: MAC Addr From Port Port Index GigabitEthernet1/0/1 is link-up MAC address authentication is enabled Authenticate success: 3, failed: 7 Max number of on-line users is 2048 Current online user number is 3 MAC ADDR Authenticate state Auth Index 1234-0300-0011 MAC_AUTHENTICATOR_SUCCESS 13 1234-0300-0012 MAC_AUTHENTICATOR_SUCCESS 14 1234-0300-0013 MAC_AUTHENTICATOR_SUCCESS 15
# Display 802.1X authentication information.
<Device> display dot1x interface gigabitethernet 1/0/1 Equipment 802.1X protocol is enabled CHAP authentication is enabled EAD quick deploy is disabled Configuration: Transmit Period 30 s, Handshake Period 15 s Quiet Period 60 s, Quiet Period Timer is disabled Supp Timeout 30 s, Server Timeout 100 s The maximal retransmitting times 2 EAD quick deploy configuration: EAD timeout: 30m Total maximum 802.1X user resource number is 2048 per slot Total current used 802.1X resource number is 1 GigabitEthernet1/0/1 is link-up 802.1X protocol is enabled Handshake is enabled Handshake secure is disabled 802.1X unicast-trigger is enabled Periodic reauthentication is disabled The port is an authenticator Authentication Mode is Auto Port Control Type is Mac-based 802.1X Multicast-trigger is enabled Mandatory authentication domain: NOT configured Guest VLAN: NOT configured Auth-Fail VLAN: NOT configured Critical VLAN: NOT configured Critical recovery-action: NOT configured Max number of on-line users is 2048 EAPOL Packet: Tx 16331, Rx 102 Sent EAP Request/Identity Packets : 16316 EAP Request/Challenge Packets: 6 EAP Success Packets: 4, Fail Packets: 5 Received EAPOL Start Packets : 6 EAPOL LogOff Packets: 2 EAP Response/Identity Packets : 80 EAP Response/Challenge Packets: 6 Error Packets: 0 1. Authenticated user : MAC address: 0002-0000-0011 Controlled User(s) amount to 1
As NTK is enabled, frames with an unknown destination MAC address, multicast address, or broadcast address will be discarded.