Configuring 802.1X MAC address binding
About 802.1X MAC address binding
This feature can automatically bind MAC addresses of authenticated 802.1X users to the users' access port and generate 802.1X MAC address binding entries. You can also use the dot1x mac-binding mac-address command to manually add 802.1X MAC address binding entries.
802.1X MAC address binding entries never age out. They can survive a user logoff or a device reboot. If users in the 802.1X MAC address binding entries perform 802.1X authentication on another port, they cannot pass authentication.
Restrictions and guidelines
The 802.1X MAC address binding feature takes effect only when the port performs MAC-based access control.
To delete an 802.1X MAC address binding entry, you must use the undo dot1x mac-binding mac-address command. An 802.1X MAC address binding entry cannot be deleted when the user in the entry is online.
After the number of 802.1X MAC address binding entries reaches the upper limit of concurrent 802.1X users (set by using the dot1x max-user command), the following restrictions exist:
Users not in the binding entries will fail authentication even after users in the binding entries go offline.
New 802.1X MAC address binding entries are not allowed.
Procedure
Enter system view.
system-view
Enter interface view.
interface interface-type interface-number
Enable the 802.1X MAC address binding feature.
dot1x mac-binding enable
By default, the feature is disabled.
(Optional.) Manually add an 802.1X MAC address binding entry.
dot1x mac-binding mac-address
By default, no 802.1X MAC address binding entries exist on a port.