Example: Configuring MAC authentication authorization VSI assignment
Network configuration
As shown in Figure 49, configure the device to meet the following requirements:
Use RADIUS servers to perform authentication, authorization, and accounting for users.
Perform MAC authentication on HundredGigE 1/0/1 to control Internet access.
Configure the RADIUS server to assign VSI bbb to the host when the host passes MAC authentication.
Authenticate all users in ISP domain 2000.
Use MAC-based user accounts for MAC authentication users. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case.
Figure 49: Network diagram
Procedure
Make sure the RADIUS servers and the access device can reach each other.
Configure the RADIUS servers:
# Configure the RADIUS servers to provide authentication, authorization, and accounting services. (Details not shown.)
# Add a user account with d4-85-64-be-c6-3e as both the username and password on each RADIUS server. (Details not shown.)
# Specify VSI bbb as the authorization VSI for the user account. (Details not shown.)
![[NOTE: ]](images/note.png)
NOTE:
If an ADCAM server is used for authentication and authorization, configure VSIs on the server. The server will assign these VSIs to the device. You do not need to configure VSIs on the device.
Configure RADIUS-based MAC authentication on the device:
# Configure a RADIUS scheme.
<Device> system-view [Device] radius scheme bbb [Device-radius-bbb] primary authentication 10.1.1.1 [Device-radius-bbb] primary accounting 10.1.1.2 [Device-radius-bbb] key authentication simple bbb [Device-radius-bbb] key accounting simple bbb [Device-radius-bbb] user-name-format without-domain [Device-radius-bbb] quit
# Apply the RADIUS scheme to ISP domain 2000 for authentication, authorization, and accounting.
[Device] domain 2000 [Device-isp-2000] authentication lan-access radius-scheme bbb [Device-isp-2000] authorization lan-access radius-scheme bbb [Device-isp-2000] accounting lan-access radius-scheme bbb [Device-isp-2000] quit
# Enable MAC authentication on HundredGigE 1/0/1.
[Device] interface hundredgige 1/0/1 [Device-HundredGigE1/0/1] mac-authentication
# Enable the MAC match mode for dynamic Ethernet service instances on HundredGigE 1/0/1.
[Device-HundredGigE1/0/1] mac-based ac [Device-HundredGigE1/0/1] quit
# Enable L2VPN.
[Device] l2vpn enable
# Create a VSI named bbb and the associated VXLAN.
[Device] vsi bbb [Device-vsi-bbb] vxlan 5 [Device-vsi-bbb-vxlan-5] quit
# Specify the ISP domain for MAC authentication.
[Device] mac-authentication domain 2000
# Configure the device to use MAC-based user accounts. Each MAC address is in the hexadecimal notation with hyphens, and letters are in lower case.
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# Enable MAC authentication globally.
[Device] mac-authentication
Verifying the configuration
# Verify that VSI bbb is assigned to the MAC authentication user after the user passes authentication.
[Device] display mac-authentication connection Slot ID: 1 User MAC address: d485-64be-c63e Access interface: GigabitEthernet1/0/1 Username: d4-85-64-be-c6-3e Authentication domain: 2000 Initial VLAN: 1 Authorization untagged VLAN: N/A Authorization tagged VLAN: N/A Authorization VSI name: bbb Authorization ACL ID: N/A Authorization user profile: N/A Authorization URL: N/A Termination action: N/A Session timeout period: N/A Online from: 2016/06/13 09:06:37 Online duration: 0h 0m 35s Total connections: 1
# Verify that a dynamic AC is created for MAC address d485-64be-c63e.
[Device] display l2vpn forwarding ac verbose
VSI Name: bbb
Interface: GE1/0/1 Service Instance: 1
Link ID : 0
Access Mode : VLAN
Encapsulation: untagged
Type : Dynamic (MAC-based)
MAC address : d485-64be-c63e