Example: Configuring local MAC authentication

Network configuration

As shown in Figure 46, the device performs local MAC authentication on HundredGigE 1/0/1 to control Internet access of users.

Configure the device to meet the following requirements:

Figure 46: Network diagram

Procedure

# Add a network access local user. In this example, configure both the username and password as Host A's MAC address 00-e0-fc-12-34-56.

<Device> system-view
[Device] local-user 00-e0-fc-12-34-56 class network
[Device-luser-network-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56

# Specify the LAN access service for the user.

[Device-luser-network-00-e0-fc-12-34-56] service-type lan-access
[Device-luser-network-00-e0-fc-12-34-56] quit

# Configure ISP domain bbb to perform local authentication for LAN users.

[Device] domain bbb
[Device-isp-bbb] authentication lan-access local
[Device-isp-bbb] quit

# Enable MAC authentication on HundredGigE 1/0/1.

[Device] interface hundredgige 1/0/1
[Device-HundredGigE1/0/1] mac-authentication
[Device-HundredGigE1/0/1] quit

# Specify ISP domain bbb as the MAC authentication domain.

[Device] mac-authentication domain bbb

# Configure MAC authentication timers.

[Device] mac-authentication timer offline-detect 180
[Device] mac-authentication timer quiet 180

# Configure MAC authentication to use MAC-based accounts. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case.

[Device] mac-authentication user-name-format mac-address with-hyphen lowercase

# Enable MAC authentication globally.

[Device] mac-authentication

Verifying the configuration

# Display MAC authentication settings and statistics to verify your configuration.

[Device] display mac-authentication
Global MAC authentication parameters:
   MAC authentication     : Enabled
   User name format       : MAC address in lowercase(xx-xx-xx-xx-xx-xx)
           Username       : mac
           Password       : Not configured
   Offline detect period  : 180 s
   Quiet period           : 180 s
   Server timeout         : 100 s
   Reauth period          : 3600 s
   Authentication domain  : bbb
 Online MAC-auth users    : 1

 Silent MAC users:
          MAC address       VLAN ID  From port               Port index
          00e0-fc11-1111    8        HGE1/0/1                1
 HundredGigE1/0/1 is link-up
   MAC authentication         : Enabled
   Carry User-IP              : Disabled
   Authentication domain      : Not configured
   Auth-delay timer           : Disabled
   Periodic reauth            : Disabled
   Re-auth server-unreachable : Logoff
   Guest VLAN                 : Not configured
   Guest VLAN auth-period     : 30 s
   Critical VLAN              : Not configured
   Critical voice VLAN        : Disabled
   Host mode                  : Single VLAN
   Offline detection          : Enabled
   Authentication order       : Default
   Guest VSI                  : Not configured
   Guest VSI auth-period      : 30 s
   Critical VSI               : Not configured
   Auto-tag feature           : Disabled
   VLAN tag configuration ignoring : Disabled
   Max online users           : 4294967295
   Authentication attempts    : successful 1, failed 0
   Current online users       : 1
          MAC address       Auth state
          00e0-fc12-3456    Authenticated

The output shows that Host A has passed MAC authentication and has come online. Host B failed MAC authentication and its MAC address is marked as a silent MAC address.