Example: Configuring local MAC authentication
Network configuration
As shown in Figure 46, the device performs local MAC authentication on HundredGigE 1/0/1 to control Internet access of users.
Configure the device to meet the following requirements:
Detect whether a user has gone offline every 180 seconds.
Deny a user for 180 seconds if the user fails MAC authentication.
Authenticate all users in ISP domain bbb.
Use the MAC address of each user as the username and password for authentication. A MAC address is in the hexadecimal notation with hyphens, and letters are in lower case.
Figure 46: Network diagram
Procedure
# Add a network access local user. In this example, configure both the username and password as Host A's MAC address 00-e0-fc-12-34-56.
<Device> system-view [Device] local-user 00-e0-fc-12-34-56 class network [Device-luser-network-00-e0-fc-12-34-56] password simple 00-e0-fc-12-34-56
# Specify the LAN access service for the user.
[Device-luser-network-00-e0-fc-12-34-56] service-type lan-access [Device-luser-network-00-e0-fc-12-34-56] quit
# Configure ISP domain bbb to perform local authentication for LAN users.
[Device] domain bbb [Device-isp-bbb] authentication lan-access local [Device-isp-bbb] quit
# Enable MAC authentication on HundredGigE 1/0/1.
[Device] interface hundredgige 1/0/1 [Device-HundredGigE1/0/1] mac-authentication [Device-HundredGigE1/0/1] quit
# Specify ISP domain bbb as the MAC authentication domain.
[Device] mac-authentication domain bbb
# Configure MAC authentication timers.
[Device] mac-authentication timer offline-detect 180 [Device] mac-authentication timer quiet 180
# Configure MAC authentication to use MAC-based accounts. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication globally.
[Device] mac-authentication
Verifying the configuration
# Display MAC authentication settings and statistics to verify your configuration.
[Device] display mac-authentication Global MAC authentication parameters: MAC authentication : Enabled User name format : MAC address in lowercase(xx-xx-xx-xx-xx-xx) Username : mac Password : Not configured Offline detect period : 180 s Quiet period : 180 s Server timeout : 100 s Reauth period : 3600 s Authentication domain : bbb Online MAC-auth users : 1 Silent MAC users: MAC address VLAN ID From port Port index 00e0-fc11-1111 8 HGE1/0/1 1 HundredGigE1/0/1 is link-up MAC authentication : Enabled Carry User-IP : Disabled Authentication domain : Not configured Auth-delay timer : Disabled Periodic reauth : Disabled Re-auth server-unreachable : Logoff Guest VLAN : Not configured Guest VLAN auth-period : 30 s Critical VLAN : Not configured Critical voice VLAN : Disabled Host mode : Single VLAN Offline detection : Enabled Authentication order : Default Guest VSI : Not configured Guest VSI auth-period : 30 s Critical VSI : Not configured Auto-tag feature : Disabled VLAN tag configuration ignoring : Disabled Max online users : 4294967295 Authentication attempts : successful 1, failed 0 Current online users : 1 MAC address Auth state 00e0-fc12-3456 Authenticated
The output shows that Host A has passed MAC authentication and has come online. Host B failed MAC authentication and its MAC address is marked as a silent MAC address.