Example: Configuring ACL assignment for MAC authentication
Network configuration
As shown in Figure 48, configure the device to meet the following requirements:
Use RADIUS servers to perform authentication, authorization, and accounting for users.
Perform MAC authentication on HundredGigE 1/0/1 to control Internet access.
Use MAC-based user accounts for MAC authentication users. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case.
Use an ACL to deny authenticated users to access the FTP server at 10.0.0.1.
Figure 48: Network diagram
Procedure
Make sure the RADIUS servers and the access device can reach each other.
Configure ACL 3000 to deny packets destined for 10.0.0.1.
<Device> system-view [Device] acl advanced 3000 [Device-acl-ipv4-adv-3000] rule 0 deny ip destination 10.0.0.1 0 [Device-acl-ipv4-adv-3000] quit
Configure RADIUS-based MAC authentication on the device:
# Configure a RADIUS scheme.
[Device] radius scheme 2000 [Device-radius-2000] primary authentication 10.1.1.1 1812 [Device-radius-2000] primary accounting 10.1.1.2 1813 [Device-radius-2000] key authentication simple abc [Device-radius-2000] key accounting simple abc [Device-radius-2000] user-name-format without-domain [Device-radius-2000] quit
# Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting.
[Device] domain bbb [Device-isp-bbb] authentication default radius-scheme 2000 [Device-isp-bbb] authorization default radius-scheme 2000 [Device-isp-bbb] accounting default radius-scheme 2000 [Device-isp-bbb] quit
# Specify the ISP domain for MAC authentication.
[Device] mac-authentication domain bbb
# Configure the device to use MAC-based user accounts. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication on HundredGigE 1/0/1.
[Device] interface hundredgige 1/0/1 [Device-HundredGigE1/0/1] mac-authentication [Device-HundredGigE1/0/1] quit
# Enable MAC authentication globally.
[Device] mac-authentication
Configure the RADIUS servers:
# Add a user account with 00-e0-fc-12-34-56 as both the username and password on each RADIUS server. (Details not shown.)
# Specify ACL 3000 as the authorization ACL for the user account. (Details not shown.)
Verifying the configuration
# Verify the MAC authentication configuration.
[Device] display mac-authentication Global MAC authentication parameters: MAC authentication : Enabled Username format : MAC address in lowercase(xx-xx-xx-xx-xx-xx) Username : mac Password : Not configured Offline detect period : 300 s Quiet period : 60 s Server timeout : 100 s Reauth period : 3600 s Authentication domain : bbb Online MAC-auth users : 1 Silent MAC users: MAC address VLAN ID From port Port index HundredGigE1/0/1 is link-up MAC authentication : Enabled Carry User-IP : Disabled Authentication domain : Not configured Auth-delay timer : Disabled Periodic reauth : Disabled Re-auth server-unreachable : Logoff Guest VLAN : Not configured Guest VLAN auth-period : 30 s Critical VLAN : Not configured Critical voice VLAN : Disabled Host mode : Single VLAN Offline detection : Enabled Authentication order : Default Guest VSI : Not configured Guest VSI auth-period : 30 s Critical VSI : Not configured Auto-tag feature : Disabled VLAN tag configuration ignoring : Disabled Max online users : 4294967295 Authentication attempts : successful 1, failed 0 Current online users : 1 MAC address Auth state 00e0-fc12-3456 Authenticated
# Verify that you cannot ping the FTP server from the host.
C:\>ping 10.0.0.1 Pinging 10.0.0.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
The output shows that ACL 3000 has been assigned to HundredGigE 1/0/1 to deny access to the FTP server.