Example: Configuring RADIUS-based MAC authentication

As shown in Figure 47, the device uses RADIUS servers to perform authentication, authorization, and accounting for users.

To control user access to the Internet by MAC authentication, perform the following tasks:

• Enable MAC authentication globally and on HundredGigE 1/0/1.

• Configure the device to detect whether a user has gone offline every 180 seconds.

• Configure the device to deny a user for 180 seconds if the user fails MAC authentication.

• Configure all users to belong to ISP domain bbb.

• Use a shared user account for all users, with username aaa and password 123456.

1. Make sure the RADIUS server and the access device can reach each other. (Details not shown.)

2. Configure the RADIUS servers:

   # Create a shared account for MAC authentication users. (Details not shown.)

   # Set username aaa and password 123456 for the account. (Details not shown.)

3. Configure RADIUS-based MAC authentication on the device:

   # Configure a RADIUS scheme.

   <Device> system-view
   [Device] radius scheme 2000
   [Device-radius-2000] primary authentication 10.1.1.1 1812
   [Device-radius-2000] primary accounting 10.1.1.2 1813
   [Device-radius-2000] key authentication simple abc
   [Device-radius-2000] key accounting simple abc
   [Device-radius-2000] user-name-format without-domain
   [Device-radius-2000] quit
   

   # Apply the RADIUS scheme to ISP domain bbb for authentication, authorization, and accounting.

   [Device] domain bbb
   [Device-isp-bbb] authentication default radius-scheme 2000
   [Device-isp-bbb] authorization default radius-scheme 2000
   [Device-isp-bbb] accounting default radius-scheme 2000
   [Device-isp-bbb] quit
   

   # Enable MAC authentication on HundredGigE 1/0/1.

   [Device] interface hundredgige 1/0/1
   [Device-HundredGigE1/0/1] mac-authentication
   [Device-HundredGigE1/0/1] quit
   

   # Specify the MAC authentication domain as ISP domain bbb.

   [Device] mac-authentication domain bbb
   

   # Set MAC authentication timers.

   [Device] mac-authentication timer offline-detect 180
   [Device] mac-authentication timer quiet 180
   

   # Specify username aaa and password 123456 in plain text for the account shared by MAC authentication users.

   [Device] mac-authentication user-name-format fixed account aaa password simple 123456
   

   # Enable MAC authentication globally.

   [Device] mac-authentication
   

# Verify the MAC authentication configuration.

[Device] display mac-authentication
Global MAC authentication parameters:
   MAC authentication     : Enabled
   Username format        : Fixed account
           Username       : aaa
           Password       : ******
   Offline detect period  : 180 s
   Quiet period           : 180 s
   Server timeout         : 100 s
   Reauth period          : 3600 s
   Authentication domain  : bbb
 Online MAC-auth users    : 1

 Silent MAC users:
          MAC address       VLAN ID  From port               Port index

 HundredGigE1/0/1  is link-up
   MAC authentication         : Enabled
   Carry User-IP              : Disabled
   Authentication domain      : Not configured
   Auth-delay timer           : Disabled
   Periodic reauth            : Disabled
   Re-auth server-unreachable : Logoff
   Guest VLAN                 : Not configured
   Guest VLAN auth-period     : 30 s
   Critical VLAN              : Not configured
   Critical voice VLAN        : Disabled
   Host mode                  : Single VLAN
   Offline detection          : Enabled
   Authentication order       : Default
   Guest VSI                  : Not configured
   Guest VSI auth-period      : 30 s
   Critical VSI               : Not configured
   Auto-tag feature           : Disabled
   VLAN tag configuration ignoring : Disabled
   Max online users           : 4294967295
   Authentication attempts    : successful 1, failed 0
   Current online users       : 1
          MAC address       Auth state
          00e0-fc12-3456    Authenticated